Privacy, Security, and Confidentiality of Medical Records
State & Federal Policy Issues

 President Clinton-State of the Union, February 1999

106th Congress
Major Reasons for Congressional Action

  • Legal Deadline in HIPAA August 1999
  • Administration's (HHS) preference for further congressional direction
  • International Pressure-European Union Data Privacy Directive, October, 1999.
    • EU member states must enact laws prohibiting transfer of personal data to non-EU countries that lack an "adequate level of protection".
    • US engaged in discussions with EU about the issue.
  • Absence of a comprehensive federal medical law to protect privacy in all settings.
    • Balanced Budget Act of 1997 only applies to beneficiaries of Medicare+Choices plans.
    • Other laws address privacy of alcohol abuse/mental health/AIDS in specific situations (e.g., ADMHA, Veterans and Americans with Disabilities Act).

 106th Congress

Major Reasons for Congressional Action

  • Most state laws narrow in scope and venue.
  • Existing Federal Law (Privacy Act of 1974) only applies to Federal Agencies.
  • Scientific Developments in Genetics
    • The Human Genome Project has advanced knowledge of causes of human disease, but also raises thorny privacy issues.
  • Explosive Growth in IT
    • National Research Council estimates health industry spent $10-15 billion on IT in 1996.
  • Cost-Cutting Reforms
    • Congress using information integration requirements to cut costs of Medicare and Medicaid.


 Centers for Disease Control Study

  • 37 states impose confidentiality duties on M.D.s.
  • 26 states extend confidentiality duties to allied providers.
  • 33 states require health care institutions to maintain confidentiality of medical records.


  • All states have some law governing use and disclosure BUT very widely.
  • Like federal laws, state laws cover certain classes of health information (e.g. - HIV, mental health, and substance abuse) or apply only to state institutions.
  • 15 states use NAIC Insurance Information and Privacy Protection Model law that controls use and disclosure of information by insurers.

  106th Congress

  • Preemption
    • Texas Example (Texas has well-established body of law)
      • AIDS/HIV Patient Records
      • Physician-Patient Privilege-Auth. Of Disclosure
      • Mental Health Patient Records
      • Substance Abuse Patient Records
      • Genetic Information
  • General consensus for a baseline federal statute strengthening safeguards
  • Strong support for a legislative versus regulatory fix

  Key Similarities

  • Bills introduced thus far have sought to
    • Restrict use and disclosure of personally identifiable health information
    • Establish security and auditing capabilities for records systems
    • Ensure patient access to their records
  • Provide patient right to seek corrections
  • Require entities to state privacy practices
  • Establish penalties for abuse of privacy rights

Key Differences

  • Bills have varied in the way in which they
    • Establish methods for assuring protection
    • Allow Federal laws to "Preempt" state laws
    • Mechanisms for getting informed consent and use of federal laws as a basis of disclosure
  • Rules regarding protected information gathered during health research
  • Procedures for law enforcement access to medical data
  • Various definitions of "individually identifiable health information"

Key Issues


  • U.S. Department of HHS supports a "preemption floor" which would allow more stringent state laws.
  • S.573 (Leahy)/H.R. 1057 (Markey) preempts state laws offering lesser protections or those with conflicting provisions.
    • Exempts from preemption certain state laws collecting vital statistics (abuse or neglect, mental health, and a minor's access to health services and info.)
  • S.578 (Jeffords) is similar to S.573/H.R.1057, but basically wouldn't preempt state laws until act goes into effect.
  • S.881 (Bennett) Medical Information Privacy Act preempts state laws with lesser or conflicting provisions except those federal or state provisions regarding disclosure of information about a minor to a parent or guardian.
  • Most other patient protection bills do not address preemption of similar or stronger state laws.

 Key Issues

Informed Consent "Authorization"

  • General agreement about use and disclosure based on specific criteria, and for specific purposes or objectives.
  • Procedures for revocation of authorizations and call for DHHS "model authorization forms".
  • Exceptions for emergencies, public health purposes, health care oversight, judicial proceedings, health research and certain law enforcement purposes.
  • Conditions under which exceptions allowed vary.

 Key Issues (continued)

Informed Consent "Authorization"

  • Issue is balancing individual rights against societal goals: quality, costs.
  • Bills use different approaches to securing authorization
  • S. 573 (Leahy) patient may deny use or disclosure for any purpose not related to treatment or billing without fear of loosing health benefits
  • S.578 (Jeffords) establishes a consolidated authorization for various purposes, and allows revocation if individual starts paying
  • S. 881 (Bennett) requires single authorization for use and disclosure for various purposes including treatment, payment and health care operations.

 Key Issues

Access by Law Enforcement

  • Big, big issue !!
  • Law enforcement community doesn't want to hamper ability to pursue fugitives, evidence of illegal activity, forensics etc.
  • Focus on cases of fraud and abuse in health care industry.
  • Department of HHS recommendations criticized by privacy advocates for allowing wide authority by law enforcement to access patient records.
  • All major bills require a subpoena, warrant, court order, or summons before health information could be disclosed for law enforcement purposes.
  • S. 578 (Jeffords) and S. 881 (Bennett) also permit disclosure pursuant to a Federal or state law requiring reporting of specific medical information to law enforcement authorities
  • Several bills require return or destruction of information once purposes have been achieved

 Key Issues

Health Research

  • When does a researcher need to obtain informed consent or authorization to access information?
    • S.578 (Jeffords) allows disclosure of health information to a researcher if federally conducted, and complies with the "Common Rule" an Institutional Review Board (IRB) mechanism for informed consent; or if part of a clinical investigation conforms to FDA requirements.
    • S.881 (Bennett) allows disclosure to researcher by person in lawful possession if an IRB has approved the project under the Common Rule, or for analyses of health records and archives if entity possessing the records has met certain written security procedures and policies.

106th Congress

Bill Summary

  • Four comprehensive confidentiality bills
    • S.573 (Leahy) / H.R. 1057 (Markey)
    • S.578 (Jeffords)
    • S. 881 (Bennett)
  • Also bills providing patient protection and managed care reforms do sometimes relate to privacy protections:
    • S.6 (Daschle), S.240 (Daschle) H.R. 358 (Dingell) require insurers to establish procedures to safeguard individually identifiable enrollee information
  • Other Protection Bills
    • More extensive provisions allowing patients to inspect, copy, and amend health information and establish safeguards of various kinds (S.300 Lott) (S.326 Jeffords)
    • Or include above features in addition to allowing disclosure for health operations and preemption of state laws (H.R.448 Bilirakis)
    • Finally, (S.300) and (S.326) also prohibit discrimination on basis of genetic testing.

 Contact Information

Neal Neuberger,President
Health Tech Strategies
(703) 538-0917