Health Privacy Standards Go Back to Drawing Board
Feb. 17, 2000 (Washington) -- Privacy went public in Congress, as a House panel today examined the Clinton administration's controversial proposal to safeguard personal health information.
The rules would give Americans the right to examine their own medical records, a right currently in law only in 28 states. The rules would also allow individuals to correct and make copies of their records.
However, they would also allow health information to be shared without patient authorization for reasons directly related to treatment, payment, and "health care operations." But they would require that plans, providers, and clearinghouses get authorization from a patient to use information for other purposes.
Currently there are no federal standards on the disclosure of personal health information. With that in mind, some groups told the House Ways and Means Committee's health subcommittee that the proposed rules provided an important foundation, from which Congress could fill gaps. "[The] regulations constitute a significant step towards restoring the public trust and confidence in our nation's health care," said Janlori Goldman, director of the Health Privacy Project at Georgetown University.
Rep. Phil English, R-Pa., complained that state health officials have told him that they are concerned the rules would result in overprotection of health information, even when it may be disclosed without patient authorization for public health reasons.
Meanwhile, Margaret Hamburg, MD, an official with the Department of Health and Human Services (HHS), conceded that the rules have gaps and that congressional action is needed to complete the job. The administration was required to issue limited rules because Congress failed to meet its deadline to pass a comprehensive law.
Subcommittee chairman Bill Thomas, R-Calif., tells WebMD that he is drafting privacy legislation with Rep. Ben Cardin, D-Md., although he would not say when he would introduce the bill.
The proposed rules cover only electronic-based information, just a fraction of the paper-centered universe. And its standards apply directly only to health plans, providers, and clearinghouses. Employers, researchers, and others that receive and retransmit information -- such as law enforcement officials -- are not covered.
Moreover, the rules also do not lay out the right of individuals to sue over their privacy rights and do not establish tough enough penalties, according to HHS. Although the rules would override state laws that are less stringent, they would permit stronger state laws to take precedence.