One year after the Senate Health, Education, Labor, and Pensions Committee held its first hearing on medical records privacy, the committee held an April 26 hearing on the issue. Under the 1996 Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-91), Congress was given an August 1999 deadline to enact a comprehensive medical privacy law. If Congress failed to act by August 21, then the Department of Health and Human Services (HHS) was authorized to enact privacy protections through regulations.
Last year the committee made several attempts to mark up medical records privacy legislation, but members of the committee were unable to sort out their differences on two key issues: the ability of patients to sue if their privacy is violated by the inappropriate release of their medical records and whether a parent should be allowed access to a minor’s medical records if the minor objects to such access. The House never considered similar legislation, and Congress failed to meet the deadline.
As a result, HHS issued its proposed regulations on November 3, 1999. The proposed regulations, which would take effect in 2002, would apply only to electronic medical records. Under the regulations, patients would be granted the right to view their records, make corrections to their records, and be informed by health plans about how their medical information is being used and who is requesting that information. The proposed regulations would require covered entities—health plans, health care clearinghouses, and health care providers who submit information electronically—to receive a written guarantee from their “business partners” that they will safeguard health information they receive. Business partners would include lawyers, auditors, consultants, and others. The proposed regulations would not preempt state laws if the state laws are “more stringent” than the regulations. Additionally, the regulations also would establish civil and criminal penalties for violations of patients’ privacy by the inappropriate release of their medical information.
Opening the hearing, Committee Chair James Jeffords (R-VT) stated, “I hope to gain a better understanding regarding the appropriateness of the proposed rule on the privacy of individually identifiable health information, as well as, whether further legislation is needed to fill gaps that perhaps resulted from the Secretary’s limited authority in issuing the regulation.”
Under HIPAA, HHS may only regulate health plans, health care clearinghouses, and health care providers that transmit information electronically for financial or administrative transactions. HHS does not have the authority to regulate paper records. Additionally, HHS does not have the authority to grant individuals the right to sue; such authority can only come from Congress. HIPAA also prohibited HHS from preempting states laws that are stricter than the federal regulations.
Witnesses were unanimous in their support for federal confidentiality legislation, noting the limitations placed on HHS by HIPAA. “By virtue of the limited authority delegated by Congress, the proposed rules have limited applicability and cover only health plans, health care clearinghouses and health care providers who transmit health information (“covered entities”) in electronic form. We appreciate the fact that the Secretary has made a strong effort to extend this coverage to a covered entity’s business partners. But a large segment of those who hold health information remains beyond the scope of these regulations,” stated Janlori Goldman of the Health Privacy Project at Georgetown University.
While acknowledging the limitations placed on HHS, many witnesses were critical of the proposed rule. Charles N. Kahn, III, of the Health Insurance Assocation of America stated, “The proposed confidentiality regulations go beyond the statutory authority granted by HIPAA to the Secretary of HHS. This creates unnecessary regulatory burdens and could, in the end, lead to higher health care costs for consumers.”
John Houston of the American Hospital Association (AHA) agreed, saying, “The proposed rule would address the privacy of all individually identifiable health information, rather than the information transmitted electronically among providers and payers in certain transactions [eligibility, claims, payment] as described in HIPAA.”
However, Janet Heinrich of the General Accounting Office told the committee that “the regulatory strategies HHS adopted in the proposed rule seem consistent with HIPAA’s purpose of protecting the privacy of health information and are legally permissible.” Addressing the issue of allowing covered entities to require their business partners to keep health information confidential, which several witnesses argued was outside the scope of HHS’ authority, Ms. Heinrich stated, “HHS has attempted to fill an otherwise significant gap in privacy protection….We find these provisions to be reasonable and within HHS’ authority to promulgate.”
