As fall settles over the capital, the Aug. 21 deadline for Congress to pass legislation regulating the use of personal medical data becomes a memory. Now, under the Health Insurance Portability and Accountability Act, the task of regulation development falls to the Department of Health and Human Services.
HHS would rather see Congress get its act together because HHS's authority under HIPAA is limited. "There's still hope that Congress will pass comprehensive legislation this fall," says Secretary Donna Shalala.
But the privacy issue is becoming entangled in that legislative nightmare known as patients' rights. Increasingly, insiders say, it looks like confidentiality will remain unresolved unless Congress agrees first on a package that addresses HMO liability. And legislators' track record on that score is convincingly unimpressive.
If you want something done...
HHS has no choice but to proceed. Spokeswoman Lorrie McHugh says HHS will release draft regulations for comment this fall. HHS is required, by law, to issue a final rule by Feb. 21.
HHS has been working internally to put together a proposal. Shalala has instructed staffers to follow five basic principles she set out in recommendations to Congress in 1997: boundaries, security, consumer control, accountability, and public responsibility.
In reaffirming those principles, Shalala commented that "With very few exceptions, a health care consumer's personal information should only be used for health-related activities."
A hospital should be able to use personal health information to provide care, teach, train, conduct research, and ensure quality, but employers should be barred from using the information for nonhealth purposes, such as hiring, firing, or promoting, Shalala contends. And, she says, insurers shouldn't be able to use it for underwriting.
Patients also are entitled to have their information protected from improper disclosure. However, Shalala notes, "In a democratic society, the right to privacy, like the right to free speech, is never absolute," so provisions will assure that information is available to entities when necessary to deal with emergencies — public health agencies using it to combat infectious-disease outbreaks, for instance.
President Clinton continues to trumpet patient privacy as a populist issue, urging Congress to include it either as part of a Patients Bill of Rights or as a stand-alone bill. At a White House meeting on health care priorities, Clinton laid out six "challenges" for Congress:
- Pass a "strong and enforceable" Patients Bill of Rights for managed care enrollees;
- Strengthen and modernize Medicare;
- Assure that people with disabilities keep their health insurance when going to work;
- Increase cigarette taxes to discourage teenage smoking;
- Expand health coverage for children of working families; and
- "Protect the sanctity of medical records."
Earlier this year, the Senate Health, Education, Labor, and Pensions Committee was near agreement on a compromise privacy bill. But the panel scrubbed two meetings when members couldn't resolve some thorny areas of contention — including whether to allow lawsuits by patients whose information is disclosed improperly.
The original legislation, drafted by Vermont Republican Sen. James Jeffords, included provisions for lawsuits for compensatory and punitive damages. Those appear outside of the comfort zone of several committee members, but Jeffords is still hopeful an agreement on patient-privacy provisions can be reached this session.
On the House side, Republicans introduced, Sept. 9, a bill (HR 2824) to regulate HMOs, including provisions to allow patients to sue in federal court for "genuine injuries." The House is expected to debate the measure this month. While the Shadegg-Coburn measure doesn't specifically address privacy, it could wind up becoming the House's privacy vehicle.
Georgia Republican Rep. Charles Norwood, who, with Democrat John Dingell of Michigan has crafted his own managed care bill, says Coburn and Shadegg "have brought the Republican leadership a lot further along than anyone thought possible. They should be congratulated by everyone who's serious about reform."
But the insurance industry is unenthusiastic about any of the measures. Charles Kahn, president of the Health Insurance Association of America, says the beneficiaries of Shadegg-Coburn and other such legislation "would be trial lawyers — not to mention politicians on both sides grandstanding for their own benefit.
"The dirty little secret" of all of the bills, he continues, is that "consumers and employers would be stuck with the tab, and would struggle to shoulder higher health care costs."
An aide to Sen. Bill Frist, a Republican physician from Tennessee and chairman of the public health subcommittee, notes that the Senate managed care bill, passed in July, included privacy provisions. There's no telling when that will move forward, he says. "We're waiting now for the House. If they include something on patient privacy, it will make it easier when they take the bills to conference."
Privacy concerns also have come up in HR 10, the Financial Services Act of 1999, which is intended to remove Depression-era regulations that prevent affiliations among banks, securities firms, insurance companies, and other financial institutions. Some provisions would allow them to share a person's medical information for research, but AMA Trustee Donald Palmisano, M.D., worries this would allow institutions to use sensitive information for "a vast array of marketing evaluations or consumer-profiling ventures." He says such information should not be "an item of commerce."
The AMA favors an "opt-in" provision for medical records, arguing that the prudent course would be to prohibit the transfer of medical records — even among affiliated entities — without a patient's consent.
Such information can't be "unshared" later, Palmisano points out. "Once a financial institution has medical information, it becomes a permanent part of our consumer profile."
The confidentiality provisions of HR 10, as placed on the Senate calendar, provide that insurers and their affiliates "shall maintain a practice of protecting the confidentiality of individually identifiable customer health, medical, and genetic information," except in these instances with a person's consent:
- Underwriting, premium processing, and investigations;
- Providing information to the customer's physician or other provider;
- Participating in research projects;
- Enabling the purchase, sale or transfer of insurance-related business; and
- Settlement of payments, investigations by legal or regulatory authorities, and fraud protection.
Another dicey managed care issue is up for grabs. In this case, the game is likely to continue until the new year — and maybe even beyond.