HHS Proposes Standards for Medical File Privacy
By Amy Goldstein
Federal health officials yesterday proposed the first comprehensive ground rules for protecting the confidentiality of medical records in an era of exploding computer information about people's medical histories.
The standards, released by Health and Human Services Secretary Donna E. Shalala, would require that doctors, hospitals and insurance companies release individual patient records only when needed for medical treatment and payments. The rules would establish new federal criminal penalties for misusing such information, and would guarantee patients the right to see their records and find out who else has looked at them.
But in a provision that drew swift denunciations from privacy advocates, Shalala proposed a broad exception for law enforcement authorities, who would continue to enjoy relatively ready access to doctor records with the names of patients attached and without those individuals' knowledge. Those investigators also would be allowed to keep those records indefinitely and use them as they saw fit, conceivably even to prosecute a patient.
In supporting ready access for law enforcement, Shalala disregarded the work of an advisory group that three months ago urged her to adopt "the strongest substantive and procedural protections" against subsequent uses of medical records by investigators.
The Clinton administration's recommendations, required by Congress a year ago, represent the federal government's most significant attempt to control the flow of medical information at a time when new computer networks have allowed patients' most personal medical details to be glimpsed and used in ways that would until recently have been inconceivable.
Yesterday, Shalala cited the case of a Boston health maintenance organization in which every clinical employee could read notes from patients' psychotherapy sessions. In another case, she said, a Colorado medical student copied patients' health records and sold them to medical malpractice attorneys.
The federal standards would augment a patchwork of privacy measures that states have enacted in recent years. Although a few states have comprehensive laws, most provide protection on narrower matters of particular sensitivity, such as AIDS test results and mental health records. Slightly more than half the states now ensure patients some kind of access to their own records.
Unlike most state laws, the standards put forth by the Clinton administration would apply to all settings in which medical records are kept, including doctors' offices, hospitals, insurance companies, workplaces, claims administrators and pharmaceutical companies. They also would extend protections that now apply only to government-funded research to all types of medical study.
"The way we protect the privacy of our medical records right now is erratic at best and dangerous at worst," Shalala said. "The fundamental question before us is, will our health records be used to heal us or reveal us? . . . As a nation, we must decide."
Testifying before the Senate Labor and Human Resources Committee, Shalala portrayed the administration's approach as a balancing act between the interests of individual privacy and several national priorities: research, public health and law enforcement efforts, including a heightened interest in ferreting out health care fraud.
The 81-page standards are a recommendation to Congress, which now will begin what may become a highly charged debate over whether to turn them into law.
The administration was required to propose a new federal approach to medical privacy under the Health Insurance Portability and Accountability Act, passed by Congress last year to make it easier for millions of Americans to obtain health insurance after they change jobs or develop a serious illness.
One facet of that law accelerated the trend toward computerized medical information by requiring a uniform method for transmitting patient records between doctors and insurance companies. But the law never specified how those records would be protected, leaving that task to another day.
To give itself impetus to tackle the issue swiftly, Congress gave itself three years to pass new privacy legislation. Otherwise, HHS would be allowed to put standards into effect on its own.
Yesterday, the Pharmaceutical Research and Manufacturers of America criticized Shalala's recommendation that the federal rules be considered a "floor" that would allow states to enact their own, stronger privacy protections.
But most of the complaints focused on the broad latitude proposed for law enforcement investigators.
A Justice Department spokesman acknowledged that several top department officials had argued forcefully against new limits on their access to medical records.
Confronted with pressure from the Justice Department, "they caved," said Janlori Goldman, an expert in electronic privacy who is a visiting scholar at Georgetown University Law Center.
Robert Gellman, a privacy and information policy consultant who led Shalala's outside advisers, said, "The whole package is stronger than any comparable state law." But Gellman said the law enforcement provision "doesn't provide enough protection for patients. . . . It virtually says the cops can get records [while investigating] fraud and abuse and then put them on the Internet."
Staff writer Roberto Suro contributed to this report.
© Copyright 1997 The Washington Post Company