[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Policy Post 2.30 - New Electronic Health Info Provisions Pose Privacy Risks

      _____ _____ _______
     / ____|  __ \__   __|   ____        ___               ____             __
    | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
    | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
    | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
     \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
     The Center for Democracy and Technology  /____/     Volume 2, Number 30
        A briefing on public policy issues affecting civil liberties online
   CDT POLICY POST Volume 2, Number 30                       August 16, 1996
   CONTENTS: (1) New Electronic Health Information Provisions
                 Pose Privacy Risks
             (2) How to Subscribe/Unsubscribe
             (3) About CDT, contacting us
    ** This document may be redistributed freely with this banner intact **
          Excerpts may be re-posted with permission of <editor@cdt.org>
           ** This document looks best when viewed in COURIER font **
  "The Medical Records Confidentiality Act" (S. 1360) remains stalled as
  Congress continues its summer recess.  The Senate Labor and Human Resources
  Committee indefinitely delayed mark-up of the bill due to opposition from a
  number of industry groups.
  Although S. 1360 (also known as the Bennett-Leahy bill) remains in limbo,
  Congress did take some action that impacts medical records privacy.  The
  recently-passed Kennedy-Kassebaum Health Insurance Portability and
  Accountability Act of 1996 (HR 3103) contains a section known as
  "Administrative Simplification."  This section of the Act mandates the
  development and adoption of standards for electronic exchanges of health
  information.  It also mandates that Congress or the Secretary of Health and
  Human Services (HHS) develop privacy rules to govern such electronic
  exchanges; however, these rules may not be in place before the electronic
  system is implemented.
  CDT and other privacy and consumer advocates urged Congress to include strong,
  comprehensive privacy rules in any administrative simplification proposal
  considered by Congress.  While we fell short of that goal, there are a number
  of provisions in the Kassebaum-Kennedy bill that impact on individual privacy,
  data confidentiality and security.  Most importantly, the law mandates that
  Congress enact privacy rules to protect health information within the next 36
  months; and, if Congress fails to act, the law requires the Secretary of HHS
  to promulgate final regulations establishing privacy rules within the
  following six months.
  While the passage of administrative simplification language without strong
  statutory privacy protections included at the outset is disappointing and
  threatens privacy, the recently enacted provisions set a privacy agenda in two
  areas.  It provides an opportunity to reinvigorate efforts in Congress to act
  upon pending health information privacy legislation, and to work with the
  Department of Health and Human Services to develop privacy regulations.
  CDT believes it is critical that supporters of the Bennett-Leahy bill and
  similar legislative proposals seize this opportunity to move health privacy
  legislation.  It is imperative that privacy safeguards be in place prior to
  the development or adoption of standards for electronic handling of health
  information.  CDT looks forward to working with other privacy and consumer
  advocates to support national health privacy policy.
  For more information and background about this and other related topics,
  please visit CDT's Health Information Privacy Issues Page:
  Administrative Simplification
  The law directs the Secretary of Health and Human Services (HHS) to:
  * adopt standards for the electronic exchange of a variety of health care
  * adopt standards for a unique health identifier for each individual,
    employer health plan and health care provider;
  * adopt security standards for health information; and
  * adopt safeguards that require those who maintain or transmit health
    information to adopt reasonable and appropriate administrative, technical,
    and physical safeguards that will protect the integrity and
    confidentiality, and protect against unauthorized uses and disclosures of
    health information.
  It requires covered entities to come into compliance with standards within 24
  months of their adoption.
  Privacy Provisions
  * Within 12 months of enactment, HHS must submit a report to Congress on the
    privacy of individually identifiable health information.  The report must
    address the rights individuals should have with respect to such information,
    the procedures that should be established for exercising these rights, and
    the uses and disclosures of information that should be authorized or
  * Within 36 months of passage, Congress must enact legislation protecting
    the privacy of health information in standards for electronic exchange.
  * If Congress fails to enact privacy legislation within 36 months, HHS must
    promulgate final regulations protecting the privacy of health information
    in standards for electronic exchange within the following six months.
  * The law maintains existing state confidentiality statutes that are stronger
    than those enacted by Congress or promulgated by HHS.
  * The law establishes criminal and civil penalties for those who knowingly
    and in violation of the act:
       - misuse unique health identifiers;
       - obtain individually identifiable health information;
       - disclose individually identifiable health information.
  Be sure you are up to date on the latest public policy issues affecting
  civil liberties online and how they will affect you! Subscribe to the CDT
  Policy Post news distribution list.  CDT Policy Posts, the regular news
  publication of the Center For Democracy and Technology, are received by
  nearly 10,000 Internet users, industry leaders, policy makers and
  activists, and have become the leading source for information about
  critical free speech and privacy issues affecting the Internet and other
  interactive communications media.
  To subscribe to CDT's Policy Post list, send mail to
  with a subject:
       subscribe policy-posts
  If you ever wish to remove yourself from the list, send mail to the
  above address with a subject of:
       unsubscribe policy-posts
  The Center for Democracy and Technology is a non-profit public interest
  organization based in Washington, DC. The Center's mission is to develop
  and advocate public policies that advance democratic values and
  constitutional civil liberties in new computer and communications
  Contacting us:
  General information:  info@cdt.org
  World Wide Web:       URL:http://www.cdt.org/
  FTP                   URL:ftp://ftp.cdt.org/pub/cdt/
  Snail Mail:  The Center for Democracy and Technology
               1634 Eye Street NW * Suite 1100 * Washington, DC 20006
               (v) +1.202.637.9800 * (f) +1.202.637.0968
  End Policy Post 2.30                                            8/16/96