Sale of Patient Data
By John Schwartz
The Republican-crafted Patient Protection Act of 1998 would allow anyone who collects health information -- including hospitals, health maintenance organizations, doctors, pharmacies and insurers -- to provide that data to any health care provider or health plan for "health care operations," a broad term that includes case management and setting health plan ratings for companies. The bill does not expressly prohibit any subsequent release of the data, so long as that release does not violate state laws.
The bill could legally protect a practice, for example, that has recently generated controversy. The Washington Post disclosed in February that CVS, Giant and thousands of individual pharmacies were sending patient prescription information to a Massachusetts company. That company mailed out product pitches on behalf of pharmaceutical manufacturers and reminders to fill prescriptions on behalf of pharmacies. Giant and CVS dropped the practice after the article appeared.
"Protection of the privacy of the patient is literally destroyed," said Rep. John D. Dingell (D-Mich.). "It is one of the worst outrages that I've seen."
Robert Gellman, a Washington-based consultant who has worked with the Department of Health and Human Services to devise federal privacy standards for health information, called it "a shell of a privacy bill."
A representative of health care companies, however, disagreed. "This is the proposal that most effectively balances the two responsibilities of . . . keeping patient information confidential and [using patient data for] promoting and delivering high-quality health care services," said Heidi Wagner, a representative of the Health Care Leadership Council, a group representing health care providers that has pushed for the measure.
Wagner noted that the bill requires companies to come up with their own privacy policies that would protect consumers. She also argued that preemption of state laws is necessary because "the laws are all over the map on this issue." The language was introduced into the bill by Rep. Bill Thomas (R-Calif.), chairman of the health subcommittee of the Ways and Means Committee.
Patient privacy has gotten close scrutiny in recent sessions of Congress. Bills that would set standards of privacy protection for patient data have been introduced by Sens. Patrick J. Leahy (D-Vt.), Robert F. Bennett (R-Utah) and others. A 1996 law to ensure that Americans could transfer health insurance when they changed jobs included controversial provisions for a computerized medical system identifying every American. Under that 1996 law, Congress must come up with a system for protecting patient privacy or hand the issue off to the Department of Health and Human Services next year. Rep. Robert L. Barr Jr. (R-Ga.) introduced legislation yesterday that would repeal the provisions calling for health identification codes.
But the health information provision in the Patient Protection Act, which could be taken up by the full House as early as today, would be a step backward, privacy advocates said. Without adequate safeguards, they said, patients might be afraid to speak honestly with their doctors or even to seek care. "It's a serious interference with the doctor-patient relationship," said Janlori Goldman, a director of the Health Privacy Project at the Georgetown University Medical Center.
© Copyright 1998 The Washington Post Company