[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ITAA on proposed med-privacy rules
> http://www.itaa.org/isec/pubs/ecurrent.cfm
> E-HEALTH: ADMINISTRATION PROPOSES MEDICAL RECORDS
> PRIVACY RULES
> HHS Secretary Donna E. Shalala proposed a set of
> national standards to protect the privacy of Americans'
> personal health records. The standards will apply to
> medical records created by health care providers,
> hospitals, health plans and health care clearinghouses
> that are either transmitted or maintained
> electronically, and the paper printouts created from
> these records.
>
> Shalala noted that Americans are increasingly worried
> that the privacy of their medical information will be
> violated. Some have even taken action to avoid creating
> a medical record, including withholding information
> from their doctors, changing doctors, or even avoiding
> care altogether. "We cannot allow the absence of
> privacy protections to compromise the quality of care
> in our nation," Secretary Shalala said. "Our proposals
> will provide Americans with greater peace of mind as
> they seek care, yet they are balanced with the need to
> protect public health, conduct medical research and
> improve the quality of health care for the nation."
>
> The bipartisan Health Insurance Portability and
> Accountability Act of 1996 (HIPAA) -- also known as the
> Kassebaum-Kennedy law -- called on Congress to enact
> comprehensive national medical record privacy standards
> by Aug. 21, 1999. If Congress was unable to meet that
> deadline, HIPAA required the Secretary of HHS to issue
> final regulations by Feb. 21, 2000. HHS's proposal
> marks the beginning of that regulatory process.
>
> The proposal reflects the five principles outlined by
> Secretary Shalala in September 1997 as part of her
> Recommendations for Protecting the Confidentiality of
> Individually Identifiable Health Information:
>
> * Consumer Control. The standards provide consumers
> with important new rights including, the right to
> see a copy of their medical records; the right to
> request a correction to their medical records; and
> the right to obtain documentation of disclosures
> of their health information.
> * Accountability. The statute includes new penalties
> for violations of a patient's right to privacy.
> These penalties include, for violations of the
> privacy standards by the persons subject to them,
> civil monetary penalties of up to $25,000 per
> person, per year, per standard. There are also
> substantial criminal penalties applicable to
> certain types of violations of the statute that
> are done knowingly: up to $50,000 and one year in
> prison for obtaining or disclosing protected
> health information; up to $100,000 and up to five
> years in prison for obtaining protected health
> information under "false pretenses"; and up to
> $250,000 and up to 10 years in prison for
> obtaining protected health information with the
> intent to sell, transfer or use it for commercial
> advantage, personal gain or malicious harm.
> * Public Responsibility. Privacy protections must be
> balanced with the public responsibility to support
> such national priorities as protecting public
> health, conducting medical research, improving the
> quality of care, and fighting health care fraud
> and abuse. For example, public health agencies
> routinely use health records in their efforts to
> protect the public from outbreaks of infectious
> diseases.
> * Boundaries. With few exceptions, an individual's
> health care information should be used for health
> purposes only, including treatment and payment.
> For example, a hospital could use personal health
> information to provide care, teach, train and
> conduct research and ensure quality. However,
> employers who also function as health care
> providers or health plans would be barred from
> using information for non-health purposes like
> hiring, firing or determining promotions.
> Similarly, insurers could not use such information
> to underwrite other products, such as life
> insurance.
> * Security. Organizations that are entrusted with
> health information must protect it against
> deliberate or inadvertent misuse or disclosure.
> The proposed standards would require each covered
> organization to establish clear procedures to
> protect patients' privacy, designate an official
> to monitor that system and notify their patients
> about their privacy protection practices. In
> addition, those who get information and misuse it
> would be subject to the penalties outlined in the
> proposal.
>
> The proposed standards would enhance the protections
> afforded by many existing state laws. In circumstances
> where the federal rules and state laws are in conflict,
> the stronger privacy protection would prevail. The
> proposed privacy standards would apply to consumers
> whether they are privately insured, uninsured or
> participants in public programs such as Medicare or
> Medicaid.
>
> While the privacy standards proposed are a significant
> step toward protecting patients' confidentiality, HHS
> does not currently have the authority to protect all
> medical records. Under HIPAA, HHS does not have the
> authority to protect records that are maintained in
> paper form only. HIPAA also does not allow HHS to issue
> standards for records that are maintained by other
> insurers, or by employers for worker's compensation
> purposes. The proposed rule does not establish
> appropriate restrictions on the use or redisclosure of
> such information by likely recipients, such as
> researchers, life insurance issuers, marketing firms,
> or administrative, legal and accounting services.
>
> HHS also lacks the authority to provide Americans with
> the right to take action in court when their medical
> information is used inappropriately -- a critical
> consumer protection that only Congress can provide. The
> Clinton Administration has called upon Congress to
> close these important gaps and enact comprehensive
> national legislation to ensure that all medical records
> are protected.
>
> The proposed rule will be open for comment from the
> public for 60 days.
>
> In addition to the proposed HHS regulation, several
> medical records legislative initiatives are currently
> under consideration:
>
> * HR 1057, the Medical Information Privacy and
> Security Act, introduced on March 10, 1999 by Rep.
> Ed Markey (D-MA) and cosponsored by 41 Democratic
> Representatives and Delegates.
> * HR 1941, the Health Information Privacy Act,
> introduced on May 25, 1999 by Rep. Gary Condit
> (D-CA), and cosponsored by 65 Democratic
> Representatives and Delegates. (There is
> substantial overlap in their co-sponsorship lists
> of HR 1057 and 1941).
> * HR 2470, the Medical Information Protection and
> Research Enhancement Act of 1999, introduced on
> July 12, 1999 by Rep. James Greenwood (R-PA), and
> cosponsored by 8 Republicans and 2 Democrat (Rep.
> Earl Hilliard and Rep. William Lipinski).
> * S 573, the Medical Information Privacy and
> Security Act, sponsored by Sen. Pat Leahy.
> * S 881, the Medical Information Protection Act,
> sponsored by Sen. Bob Bennett.
>