By George G. Olsen, JD; Karina V. Lynch, JD; and Evan L. Morris
Congress is currently considering numerous medical privacy bills, and is likely to pass medical privacy legislation before the end of the session. In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) that requires the Department of Health and Human Services (HHS) to mandate how health care providers, health plans, and clearinghouses share personal health information among themselves and with their research and marketing partners. HHS proposed privacy regulation in November 1999. Despite completing the requisite notice and comment period, HHS has yet to promulgate a final rule on medical privacy. HIPAA also requires HHS to design rules granting patients legal rights to control the use of their personal health data. The federal regulatory standards designed to protect the privacy of personal health data remain in development and are unlikely to be released in the immediate future. HHS had originally scheduled the release of the final rule for the end of summer, and subsequently postponed their release until September 18. No date has been set for the release of the final rule. Thompson-Kohl bill On September 13, 2000, Senate Government Affairs Chairman Fred Thompson (R-Tenn) and Senator Herb Kohl (D-Wis) introduced S 3040, the Privacy Commission Act. This bill has 15 cosponsors. Representatives Asa Hutchinson (R-Ark) and James Moran (D-Va) introduced companion legislation in the House, HR 4049, which has 36 cosponsors. These bills require the establishment of a commission to be known as the Commission for the Comprehensive Study of Privacy Protection. President Clinton has expressed opposition to the legislation. The Privacy Commission Act requires the Commission “to conduct a study of issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information.” Specifically, the Commission would be required to examine:
The monitoring, collection, and distribution of personal information by Federal, state, and local governments.
Current efforts to address the monitoring, collection, and distribution of personal information by Federal and state governments.
The monitoring, collection, and distribution of personal information by individuals or entities, including access to and use of medical records.
Employer practices and policies with respect to the financial and health information of employees.
The extent to which individuals in the United States can obtain redress for privacy violations.
The extent to which older individuals and disabled individuals are subject to exploitation involving the disclosure or use of their financial information.
The Thompson-Kohl bill requires the Commission to submit a report to Congress and the President no later than December 31, 2001. The report must include:
Findings on potential threats posed to individual privacy;
Analysis of purposes for which sharing of information is appropriate and beneficial to consumers;
Analysis of the effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual privacy;
Recommendations on whether additional legislation is necessary, and if so, specific suggestions on proposals to reform or augment current laws and regulations relating to individual privacy;
Analysis of purposes for which additional regulations may impose undue costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, employee benefits, or critical infrastructure protection;
Cost analysis of legislative or regulatory changes proposed in the report;
Recommendations on nonlegislative solutions to individual privacy concerns, including education, market-based measures, industry best practices, and new technology; and
A review of the effectiveness and utility of third-party verification, including private sector self-regulatory efforts.
Vice President Gore’s Proposal On September 21, 2000, Democratic presidential candidate Al Gore announced a new plan to protect medical privacy. He would expand current protections and seek legislation to ensure that private medical information is not released without the written consent of the patient. His plan would protect paper as well as electronic records from misuse. He would also expand current protections to ensure that any entity generating, maintaining, or receiving health records—including employers, life insurers, and workers’ compensation plans—could not use this information for non-health-related purposes such as marketing, without prior consent. Vice President Gore has said that he would also seek legislation creating a new private right of action and new criminal and civil penalties to hold health maintenance organizations (HMOs) and insurance companies accountable. Gore also endorsed legislation introduced by Sen Tom Daschle (D-SD) and Rep Louise Slaughter (D-NY) to ensure that genetic information cannot be used to discriminate against persons seeking employment, promotion, or health insurance. National Association of Insurance Commissioners (NAIC) On September 26, 2000, NAIC approved a new model state law designed to protect consumer financial and health information from unauthorized disclosures to third parties. The model law is a direct response to requirements for protecting health data set forth in the Gramm-Leach-Bliley Act (GLBA), which was enacted in November 1999, and allows financial institutions to affiliate with securities and insurance firms. The GLBA final rule implies that once it is in place, health data privacy standards that are in development at HHS, which in a proposed rule require prior authorization for disclosures outside of treatment payment and health care operations, would preempt the GLBA’s privacy provisions. GLBA will become effective November 13, 2000, with compliance required by July 1, 2001. However, HHS has not yet released its final regulation. Therefore, NAIC believes its regulations will provide consumers with protection until the HHS regulation is implemented. The NAIC model requires consumers to opt-in to disclosures of personal health information between a financial institution and its affiliated companies, but an exception is provided for specific business transactions. Critics of GLBA say its privacy protections are limited because the law allows financial institutions to share information, including health data, with their affiliated companies without consumer consent. The NAIC model law requires special rules for disclosure of nonpublic personal health data. Companies must obtain permission from their customers if they wish to share, sell, market, or give away health information. N George G. Olsen, JD, and Karina V. Lynch, JD, are members of the firm Williams & Jensen, PC, Washington, DC. Olsen is also legal counsel for the National Association of Rehabilitation Awareness. Evan L. Morris is a law student at George Washington University, Washington, DC, and a summer associate at Williams & Jensen.
