[Congressional Record Volume 140, Number 30 (Thursday, March 17, 1994)]
[House]
[Page H]
From the Congressional Record Online through the Government Printing Office [www.gpo.gov]


[Congressional Record: March 17, 1994]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]

 
             FAIR HEALTH INFORMATION PRACTICES ACT OF 1994

  The SPEAKER pro tempore. Under a previous order of the House, the 
gentleman from California [Mr. Condit] is recognized for 5 minutes.
  Mr. CONDIT. Mr. Speaker, I have today introduced the Fair Health 
Information Practices Act of 1994. The purpose of this bill is to 
establish a uniform Federal code of fair information practices for 
individually identifiable health information that originates or is used 
in the health treatment and payment process.
  As introduced, the bill is a stand-alone piece of legislation that 
could become law without reference to the larger health reform effort. 
I do not, however, intend to move this bill independently. The portion 
of the Health Security Act (H.R. 3600) that addressed confidentially of 
health information has been referred to the Government Operations 
Committee Subcommittee on Information, Justice, Transportation, and 
Agriculture, which I chair. The legislation that ultimately develops 
from today's starting point eventually will be incorporated into H.R. 
3600. The introduction of a separate bill is a convenient way to 
organize hearings and foster discussions of this important element of 
health reform.
  The need for uniform health confidentiality legislation is clear. In 
a recent report titled ``Protecting Privacy in Computerized Medical 
Information,'' the Office of Technology Assessment found that the 
present system of protecting health care information is based on a 
patchwork quilt of laws. State laws vary significantly in scope, and 
Federal laws are applicable only to limited kinds of information or to 
information maintained only by the Federal Government. Overall, OTA 
found that the present legal scheme does not provide consistent, 
comprehensive protection for privacy in health care information, 
whether that information exists in a paper or computerized environment. 
A similar finding was made by the Institute of Medicine in a recent 
report titled ``Health Data in the Information Age.''
  A recent public opinion pole sponsored by Equifax and conducted by 
Louis Harris and Associates documents the importance of privacy to the 
American public. Eighty-five percent agree that protecting the 
confidentiality of people's medical record is absolutely essential or 
very important in national health care reform. The poll shows that most 
Americans believe protecting confidentiality is a higher priority than 
providing health insurance to those who do not have it today, reducing 
paperwork burdens, or providing better data for research. The poll also 
showed that 96 percent of the public agrees that it is important for an 
individual to have the right to obtain a copy of their own medical 
record.
  We know that health information will be a key element in any health 
reform. Identifiable health information is already heavily used in cost 
containment efforts, and this usage will only grow. The Health Security 
Act proposed by President Clinton and introduced by Representative 
Gephardt contains several provisions that specifically address privacy. 
Section 5120 requires the National Health Board to promulgate standards 
respecting the privacy of individually identifiable health information. 
Section 5122 gives the Board 3 years to submit a detailed legislative 
proposal to establish a comprehensive scheme of privacy protection for 
health information, including a code of fair information practices.
  The legislation I have introduced is principally a substitute for 
these two sections of H.R. 3600. The bill is flexible enough, however, 
that it will also fit into any health reform proposal of any type that 
passes the Congress. My bill offers a comprehensive implementation of a 
fair information practices code that we can enact this year as part of 
a complete health reform initiative or even on its own. Regardless of 
how the health delivery and payment system is restructured, there is 
and will continue to be a need for a code of fair information 
practices.

  By establishing fair information practices in advance, the long--term 
costs of implementation will be reduced, and necessary protections will 
be built in from the outset. This will assure patients and medical 
professionals that fair treatment of health information is a 
fundamental element of health reform. Uniform privacy rules will also 
assist in restraining costs by supporting increased automation, 
simplifying the use of electronic data interchange, and facilitating 
the portability of health coverage.
  Today, few medical professionals and fewer patients know the rules 
that govern the use and disclosure of medical information. In a society 
where patients, professionals, and records routinely cross state 
borders, it is rarely worth anyone's time to attempt to learn the rules 
of any one jurisdiction, let alone several jurisdictions. One of the 
goals of my bill is to change the culture of health records so that 
professionals and patients alike will be able to understand the rights 
and responsibilities of all participants. Common rules and a common 
language will facilitate broader understanding and better protection. 
Professionals will be able to learn the rules once with the confidence 
that the same rules will apply wherever they practice. Patients will 
learn that they have the same rights in every State and in every 
doctor's office.
  There are two basic concepts that are essential to an understanding 
of the new approach. First, identifiable health information that is 
created or used during the medical treatment or payment process becomes 
protected health information, or individually identifiable patient 
information relating to the provision of health care or payment for 
health care. This new terminology emphasizes the sensitivity of the 
information and connotes an obligation to safeguard the data. Protected 
health information generally remains subject to statutory restriction 
no matter how it is used or disclosed.
  The second basic concept is that of a health information trustee. 
Anyone who has access to protected health information under the bill's 
procedures becomes a health information trustee. There are three 
different types of trustees. Those directly involved in providing 
treatment, in paying for treatment, and in conducting essential health 
system oversight are health use trustees. Those who use identifiable 
information for public health or health research purposes are public 
health trustees. Finally, others who have an occasional need for health 
information to accomplish a specific purpose authorized by law are 
special purpose trustees.
  Each class of trustee has its own defined set of responsibilities and 
authorities. Health use trustees have the greatest authority to use and 
disclose data, but they also have the highest level of responsibility 
to the patient. Other trustees have less authority and fewer duties. In 
each instance, the authorities and responsibilities have been carefully 
defined to balance legitimate societal needs for data against each 
patient's right to privacy and the need for confidentiality in the 
health treatment process. Of course, every health information trustee 
has an obligation to maintain adequate security for protected health 
information.

  The term trustee was selected in order to underscore that those in 
possession of identifiable health information have obligations that go 
beyond their own needs and interests. A doctor who possesses 
information about a patient does not own that information. It is more 
accurate to say that both the record subject and the recordkeeper have 
rights and responsibilities with respect to the information. My 
legislation defines those rights and responsibilities. The concept of 
ownership of personal information maintained by third-party 
recordkeepers is not particularly useful in today's complex world.
  A key element of this system is the specification of the rights of 
patients. Each patient will have a bundle of rights with respect to 
protected health care information about himself or herself that is 
maintained by a health use trustee. A patient will have a right to 
receive a notice of information practices. A patient will have the 
right to inspect and to have a copy of that information. A patient will 
have the right to seek correction of information that is not timely, 
accurate, relevant, or complete. A patient also has a right to expect 
that any trustee will use and maintain information in accordance with 
the rules in the act. The bill establishes standards and procedures to 
make these rights meaningful and effective.
  I want to emphasize that I have not proposed a pie-in-the-sky privacy 
code. This is a realistic bill for the real world. I have borrowed 
ideas from others concerned about health records, including the 
American Health Information Management Association, the Workgroup for 
Electronic Data Interchange, the National Conference of Commissioners 
on Uniform State Laws, and the recently completed Institute of Medicine 
report on health data organizations.
  I believe that everyone recognizes that we do not have the luxury of 
elevating each patient's privacy interest above every other societal 
interest. Such a result would be impractical, unrealistic, and 
expensive. The right answer is to strike an appropriate balance that 
protects each patient's interests while permitting essential uses of 
data under controlled conditions. This should be happening today, but 
record keepers do not know their responsibilities, patient rights are 
not always clearly defined, and there are large gaps in protections for 
health information. My bill recognizes necessary patterns of usage and 
combines it with comprehensive protections for patients. There will be 
no loopholes in protection for information originating in the health 
treatment or payment process. As the data moves to other parts of the 
health care system and beyond, it will remain subject to the Fair 
Health Information Practices Act of 1994. This novel requirement may be 
the single most important feature of my bill.
  The legislation includes a variety of remedies that will help to 
enforce the new standards. For those who willfully ignore the rules, 
there are strong criminal penalties. For patients whose rights have 
been ignored or violated by others, there are civil remedies. There 
will also be administrative sanctions and arbitration to provide 
alternative, less expensive, and more accessible remedies.
  I believe that the Fair Health Information Practices Act of 1994 
offers a complete and comprehensive plan for the protection of the 
interests of patients and the needs of the health care system in the 
complex modern world of health care. I recognize, however, that the 
bill I have introduced is merely a starting point. It is inevitable 
that a piece of legislation this complex will require adjustments and 
revisions as it moves through the Congress. The pressure of the 
legislative calendar has forced me to begin the public part of the 
process now.

  One area where I know that much more work is needed is in dealing 
with preemption. A uniform set of rules for health information will 
require that conflicting rules in other state and Federal laws will 
have to yield. For example, we need to establish uniform rules that 
will support electronic data interchange of information that is 
essential to efficient computerized communication of billing and other 
administrative data. We may not, however, need to preempt every law. 
There are some policy choices made by states that will not conflict 
with the basic principles or functionality of the Fair Health 
Information Practices Act. There has not been time to identify these 
laws, and this work is continuing. In the future, I expect to develop a 
more precise approach to preemption than exists in the bill today.
  I am committed to working with every group and institution that will 
be affected by the new health information rules. If you find that this 
bill fails to address a significant issue, work with me to find a 
solution. If the bill creates an unanticipated problem, work with me to 
fix it. If you have a better idea, I want to hear from you. The process 
is open, and the bill is just a fist draft. Nothing is cast in 
concrete.
  In closing, I want to acknowledge the limits of legislation. We must 
recognize and accept the reality that health information is not 
completely confidential. It would be wonderful if we could restore the 
old notion that what you tell your doctor in confidence remains secret. 
In today's complex heath care environment, characterized by third party 
payers, medical specialization, high cost care, and increasing 
computerization, this is simply not possible. My legislation does not 
and cannot promise absolute privacy. What it does offer is a code of 
fair information practices for health information.
  The promise of that code to professional and patients alike is that 
identifiable health information will be fairly treated according to a 
clear set of rules that protect the confidentiality interests of each 
patient to the greatest extent possible. While we may not realistically 
be able to offer any more than this, we surely can do no less for the 
American public.

                          ____________________