Medical Privacy and Electronic Records

Legislation aimed at pushing doctors and reluctant health care providers toward a conversion from paper to electronic health records stored in searchable web-based databases is moving through Congress. A key House panel is voting tomorrow on its proposal.

The ACLU is greatly concerned that effort to pass H.R. 6357, the PRO(TECH)T Act of 2008, in the Energy and Commerce Committee this July 23 does not ensure medical privacy of electronic health records.

The bill authorizes $115 million in grants and loans annually up to a total of $575 million over 5 fiscal years in order to induce companies to introduce electronic health records systems quickly and universally.

ØAlthough proponents say converting to electronic health records via new health information technology software and hardware will reduce medical error, improve patient care and save money,in poll after poll Americans, both doctors and patients, harbor worries that their personally identifiable medical data will not be protected.

Virtually all the pending bills lack important privacy and security protections for the online databases that would store patients’ electronic health records and prescriptions. This may in part be because lobbyists are pushing hard to eliminate anything that could slow down establishment of these new incentives.

If Congress fails to require strong privacy and security standards now as databases and networks are being built, Congress may pass legislation with undesirable consequences:

ØIdentity theft;

ØAccidental publication of patients’ sensitive or embarrassing personal information;

ØDiscriminatory review by insurance companies or potential employers so they can avoid paying for people who might be expensive to insure or employ;

Ø Invasive direct marketing to patients or doctors by competing drug companies; and

ØCommercial resale or misuse of personal health information.

The bills need to expand the scope of national privacy protections to include the whole medical marketplace.

· HIPAA is not enough; HIPAA standards make Swiss cheese look like it’s got no holes.[1]

· Snoopers and hackers must be kept out. Security measures are not the same as privacy protection.

· Promises that information in the databases can be stripped of personal identifiers are hollow. An MIT professor reported it was easy to reconstruct the health information of her governor’s private health records merely using gender, date of birth and zip code. De-identified information is not safe to sell.

Seventy percent of Americans fear national medical efficiency initiatives will reduce privacy protections.

At least 30 percent of Americans are not sharing their complete medical histories with physicians not directly involved in their cases.

The ACLU urges Congress to include the following patient controls and privacy protections in whatever legislation becomes the vehicle for health IT development:

·Real patient control of data including patient’s rights to review his/her files, correct bad data, block access to personal information, and the choice to opt out of the system

·Prompt patient notification of database breaches by codified and enforced deadlines

·Fair compensation for damages in the event patient data is misused or stolen

·Fair, nondiscriminatory medical treatment for patients who opt out of the data system

·Mandatory use of data security safeguards such as encryption and other technologies

Worth noting… Congress’ protections pale when compared to those offered by Microsoft. Microsoft promises it won’t use health information in its own HealthVault database for commercial purposes. Congress says it wants to “drive the marketplace” toward having standards.

An obvious question is: Why can’t Congress offer all citizens the same protection as Microsoft? Why is it trying to mandate a much lesser standard for databases run by insurers and hospitals than those controlled by consumers?

More on pending bills

H.R. 6357, the PRO(TECH)T Act, officially called “Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008,” was introduced by House Energy and Commerce Committee Chairman John Dingell (D-MI) and Ranking Republican Member Joe Barton (R-TX) on May 22. The bill which was approved by voice vote in the Health Subcommittee led by Reps. Frank Pallone (D-NJ) and Nathan Deal (R-TX) in late June, would support (via grants and national standards) the development by 2014 of expensive databases for storing and sharing Americans’ medical information.

A similar “Wired” bill S. 1693, cosponsored by Senators Edward Kennedy (D-Ma) and Mike Enzi (R-WY) formally called Wired for Health Care Quality Act (S. 1693), would enable hospitals and other health providers to purchase health information technology. It would also require the government to provide software and hardware standards for its own health functions, like Medicare, to set an example for the private sector. Senator Patrick Leahy (D-VT) recently added minor privacy related provisions and Senator Olympia Snowe (R-ME) would like to add others.

The House Ways and Means committee will likely help to ready a bill for full House consideration. Note that H.R. 3800, the House companion bill to the “Wired” bill, cosponsored by Representatives Anna Eshoo (D-CA) and Mike Rogers (R-MI), is not moving through the House due to the introduction of the PRO(TECH)T Act.

For more information see USA Today, this article on buying and selling health records, ACLU’s letter to Reps. Dingell and Barton and their committee pages. Another good source on needed privacy protections is H.R. 5442, the TRUST bill sponsored by Rep. Ed Markey (D-MA) and Amednews.com.

[1] Since 2003 the federal Health Insurance Portability and Accountability Act (HIPAA) has set a national standard for privacy of health information. But HIPAA only applies to medical records maintained electronically by health care providers, health plans, and health clearinghouses.. (PRC Fact Sheet 8a, “HIPAA Basics,” www.privacyrights.org/fs/fs8a-hipaa.htm)