Law Would Guard Medical Records White House Measure Prohibits Insurers, Others From Checking Private Information
Clinton administration officials say they will soon propose a comprehensive federal law to protect the privacy of medical records, to let consumers inspect their own files and to punish any unauthorized disclosures of personal data by hospitals, insurers, health plans or drug companies.
The measure would establish minimum federal standards to control the use of such information in the era of managed care, when insurance companies and health maintenance organizations have the ability and, in many cases, a financial incentive to collect and sell data revealing the most intimate secrets of millions of patients.
“Our private health information is being shared, collected, analyzed and stored with fewer federal safeguards than our video store records,” said Donna Shalala, the secretary of health and human services. “The way we protect the privacy of medical records right now is erratic at best, dangerous at worst.”
The administration plans to send detailed recommendations on medical privacy to Congress later this month, as required by the 1996 law that made health insurance more readily available to people who change jobs or lose their jobs.
“At present,” Shalala said in an interview, “we rely on a patchwork of state privacy laws, only about a dozen of which are comprehensive. We have no real federal health-care privacy standards. We have no national standards.”
Robert Gellman, an expert on privacy and information policy, said the administration’s proposals “would impose greater restrictions on the use of medical records than any state law.”
If approved by Congress, the proposals would be the most significant protections for sensitive personal data since the Privacy Act of 1974, a landmark law that regulates the way federal agencies keep records on individuals.
The outlook for the administration’s proposals on Capitol Hill is unclear. Many lawmakers of both parties demand greater privacy for health records. But few have focused on the details, which will be a subject of intense lobbying by all segments of the health-care industry.
In translating abstract principles into concrete safeguards, lawmakers may offend companies that have large financial interests in the use of personal health information. One major incentive for action was established last year in another law, which gave the department the authority to impose rules itself if Congress does not act by August 1999.
The administration’s proposals chart a middle ground. They reject the position of federal and state prosecutors who wanted unfettered access to medical records and an exemption from any new federal legislation. At the same time, the administration spurned the pleas of psychiatrists and the most outspoken privacy advocates, who wanted even stricter safeguards like giving patients a right to veto any use of their medical records.
While declaring that “privacy rights can never be absolute,” Shalala said Congress should establish a code of fair information practices. Specifically, she said, the administration will propose these standards:
Medical records should, with very few exceptions, be disclosed “for health care, and health care only.”
Patients should be able to get copies of their medical records and to make corrections in inaccurate information, just as they can correct credit records. In addition, they should be able to find out who has been looking in their records.
Hospitals could use personal health information in training doctors and nurses, in conducting research and in monitoring the quality of care. But employers who received such data in the process of paying claims could not use the information in making employee assignments and promotions or for any other purpose unrelated to health care.
Those who have access to confidential medical information, including insurers, drug distributors and billing-service companies, should be bound by the same standards as doctors and hospitals. This would plug a loophole in the laws of many states.
People who improperly disclose medical records or misrepresent themselves to obtain such data should be subject to criminal penalties.