In 1996, Congress instructed the Secretary of Health and Human Services (HHS) to issue recommendations on national standards for protecting the privacy of personal medical information through a provision in the Health Insurance Portability and Accountability Act. HHS Secretary Donna Shalala submitted her recommendations to Congress last September. Citing the nation’s shift toward managed care and the growing use of information technology and electronic record keeping as cause for concern, Shalala outlined a set of restrictions and guidelines for federal legislation. Targeting the healthcare and insurance industries, the HHS rules would prohibit using personally identifiable medical information for purposes unrelated to healthcare delivery or administration without patient authorization. The guidelines carve out protections for scientific use of medical data by allowing healthcare providers to release information without authorization for public health surveillance. The guidelines would also allow researchers to use personally identifiable data without patient authorization, but only if such use is proven to be absolutely necessary to justify intruding upon the patient’s privacy.

While many welcomed the HHS recommendations as a valuable contribution to the dialogue on this issue, some privacy advocates and Members of Congress criticized them for not going far enough. Some privacy advocates argued that the recommendations would guard against using medical information for discriminatory purposes, but do nothing to reduce the number of doctors, administrators, scientists, and others who would have access to the sensitive data.

Sen. Patrick Leahy (D-VT), a long-time participant in the medical privacy debate, stressed that the proposal would give law enforcement officials easy access to medical records. Sen. Leahy’s medical privacy bill (S. 1368), like many of the other proposals currently on the table, would require law enforcement officers to obtain warrants in order to search medical records.

Sen. Robert Bennett (R-UT) echoed the concerns about law enforcement access, but differs from Sen. Leahy’s views and the Administration proposal by arguing that federal regulations should preempt existing state privacy laws, even if the state rules are stricter. “The need for federal standardization is paramount,” Sen. Bennett stated in an October hearing held by the Senate Labor and Human Resources Committee.

Advocates for medical and public health research, as well as many in the healthcare industry, have cautioned against laws requiring patient authorization of personal medical information for research. In a hearing before the Subcommittee on Health of the House Ways and Means Committee, Dr. Sherine E. Gabriel of the Mayo Clinic said, “individuals who refuse to authorize the use of their medical records for research purposes are systematically different in important ways from individuals who do.” Allowing patients to refuse authorization could, therefore, have the effect of skewing the conclusions of scientific studies.

Janlori Goldman, director of the Health Privacy Project at Georgetown University’s Institute for Health Care Research and Policy, offered a different perspective. She said that patients would be less likely to seek healthcare or disclose information to their physicians “without trust that the personal, sensitive information they share with their doctors will be handled with some degree of confidentiality.” This would harm society by impeding both scientific progress and public health.

In an effort to garner a legislative consensus, Sen. James Jeffords (R-VT), along with Sen. Christopher Dodd (D-CT), introduced a new medical records privacy bill (S. 1921) on April 3. The Jeffords bill would establish national standards for privacy while allowing states to pass stricter rules in some specific areas, like public health and mental health. It would also require law enforcement officials to get a subpoena or warrant to access personal medical data. Regarding research, the bill conforms to the HHS recommendations by allowing personal data to be used without patient consent by scientists who can prove they need it.

Sen. Jeffords was prompted to introduce his bill by the prospect of new European data privacy rules, which take effect in October. The European Data Privacy Directive would limit the ability of the United States to exchange data with the European Union, which may hurt the international competitiveness of U.S. insurance companies and other service industries that trade in information. The Health Insurance Portability and Accountability Act also has a deadline, requiring Congress to pass privacy rules by 1999 or else leave the job to HHS. Sen. Jeffords, chairman of the Senate Labor and Human Resources Committee, hopes to hold a markup for his legislation before the Memorial Day recess.

The HHS recommendations are available online at: http://www.epic.org/privacy/medical/hhs_recommendations_1997.html