Federal health IT bill reignites debate on patient privacy

Congress appears poised to enact legislation this fall that would help spur the development of a nationwide electronic health information system. But physician groups and privacy advocates say lawmakers should not approve the bill unless they also strengthen privacy protections for patients' personal health information.

Some doctors worry that current federal law leaves patients' electronic medical records exposed to inappropriate use and disclosure by hospitals, health insurers, employers and other entities. They say the health information technology legislation now making its way through Congress would increase that exposure exponentially unless stronger privacy protections are added to the bill.

"If we don't fix who can control access to our sensitive medical information, all we'll be doing is building the mother lode of data mining," said Deborah Peel, MD, a psychiatrist in Austin, Texas, and chair of a privacy watchdog group called the Patient Privacy Rights Foundation.

The foundation and 20 other organizations -- including the California Medical Assn. and the American Assn. of People with Disabilities -- sent a letter to House Republican and Democratic leaders in June urging them to include stronger privacy protections in the health IT legislation.

The letter stated that numerous patients have been harmed and have faced discrimination because federal law does not adequately protect patients against inappropriate disclosure of personal health information.

"Patients have lost current or future jobs, been kicked out of college, denied insurance, denied credit, lost their identity, and harmed in immeasurable ways when the private information they told their health care providers became known to others who used the information for reasons that have nothing to do with health care or payment," the groups wrote.

Such abuses will only increase if Congress fosters the development of a national health IT infrastructure without strengthening privacy, Dr. Peel said. "In an increasingly electronic environment, the dangers are unbelievable."

But others say such fears are greatly overblown.

Mary Grealy, president of the Healthcare Leadership Council in Washington, D.C., which represents large pharmaceutical and biotechnology companies, insurers, hospitals and health care systems, says the health care industry is being very careful to comply with the privacy safeguards enacted under the Health Insurance Portability and Accountability Act of 1996.

Grealy dismisses allegations that widespread misuse of patients' identifiable health information has occurred. "Physicians, hospitals and providers everywhere have undertaken very comprehensive plans to make sure they're complying with protecting patients' identifiable information and only using it to make sure they get the right treatment in the right place at the right time," she said.

Physicians concerned

But many physicians have grown increasingly worried that HIPAA's privacy protections are inadequate, said David C. Kibbe, MD, director of the American Academy of Family Physicians' Center for Health Information Technology.

One reason is that both doctors and patients are becoming more aware of potential threats to personal information due to incidents such as the recent theft of a Dept. of Veterans Affairs laptop that contained millions of veterans' Social Security numbers and other personal information.

Now that Congress is considering health IT legislation, this may be the time to re-examine HIPAA and try to close some of its gaps, Dr. Kibbe said.

For example, "why is it that only the so-called 'covered entities' have the obligation to protect the privacy of personal health information? It should apply to any entity, including employers and banks, that have information that includes personal health information," he said.

Under the law, physicians are among the "covered entities."

The American Medical Association raised concerns about these issues in a statement submitted to the House Energy and Commerce health subcommittee in March. "Forming a national health information infrastructure without adequate federal privacy protections threatens not only the privacy of patients, but also the viability of such a system," the AMA stated.

Dr. Peel's foundation and its coalition partners also pushed for privacy protections to be added to the House bill. But legislation the House passed in late July did not include any additional safeguards. Democrats offered privacy amendments during committee consideration, but they were voted down.

The Health Information Technology Promotion Act of 2006, sponsored by Reps. Nancy Johnson (R, Conn.) and Nathan Deal (R, Ga.), passed by a largely party-line vote of 270-148.

The health IT bill that the Senate unanimously approved in November 2005 also does not include any additional privacy protections.

Another opportunity

But privacy advocates and physician groups still hope to see safeguards added to the health IT bill before its final passage. There will be an opportunity to add new language when a House-Senate conference committee meets this fall to work out differences between the House and Senate bills.

"We would love for the conference committee to have a fresh discussion," Dr. Peel said.

Privacy supporters also will be watching whether conferees hold the line against any effort to add language that would preempt state privacy laws. Under HIPAA, health care entities must abide by not only federal privacy protections but also by any stronger state privacy laws.

Some groups, including the Healthcare Leadership Council, say this creates a complicated patchwork of state and federal laws that hinder the development of an interoperable electronic health information system. "We think it's a huge barrier," Grealy said. "What we've been looking for is a uniform, national standard so you don't have all this state-by-state variation."

But privacy advocates and physician groups opposed overriding stronger state privacy laws, and that language was not included in the final House version. Instead, the House bill would enable the Health and Human Services secretary to study the differences and commonalities among federal and state privacy laws and then submit recommendations to Congress on how to harmonize the various laws. The Senate bill would keep the HIPAA requirement that tougher state laws prevail and does not call for a study of the issue.

Avoiding an outright preemption of state privacy laws "is something we fought hard for," said Kristin Maupin, associate director of federal affairs for the American Psychiatric Assn.

"We were relieved to see that at least the status quo had been maintained, and we're going to continue to work to further our privacy concerns as this continues," she said.