[Congressional Record Volume 141, Number 4 (Monday, January 9, 1995)]
[Extensions of Remarks]
[Pages E63-E64]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




             FAIR HEALTH INFORMATION PRACTICES ACT OF 1995

                                 ______


                          HON. GARY A. CONDIT

                             of california

                    in the house of representatives

                        Monday, January 9, 1995

  Mr. CONDIT. Mr. Speaker, I have today introduced the Fair Health 
Information Practices Act of 1995. The purpose of this bill is to 
establish a uniform Federal code of fair information practices for 
individually identifiable health information that originates or is used 
in the health treatment and payment process.
  In the last Congress, I introduced a similar bill (H.R. 4077) that 
was the subject of several days of hearings. In August 1994, that bill 
was reported by the Committee on Government Operations and became the 
confidentiality part of the overall health care reform effort. While my 
bill died along with the rest of health care reform, it was one of the 
only noncontroversial parts of health reform.
  The bill that I have introduced today is identical to the version 
reported by the Committee on Government Operations last year. There 
were some changes made later in the legislative process, but I thought 
that the committee bill was the best starting point for now. A lengthy 
explanation of the bill can be found in the Government Operations 
Committee report, House Report 103-601, part V.
  The need for uniform Federal health confidentiality legislation is 
clear. In a report titled ``Protecting Privacy in Computerized Medical 
Information,'' the Office of Technology Assessment found that the 
present system of protecting health care information is based on a 
patchwork quilt of laws. State laws vary significantly in scope, and 
Federal laws are applicable only to limited kinds of information or to 
information maintained only by the Federal Government. Overall, OTA 
found that the present legal scheme does not provide consistent, 
comprehensive protection for privacy in health care information, 
whether that information exists in a paper or computerized environment. 
A similar finding was made by the Institute of Medicine in a report 
titled ``Health Data in the Information Age.''
  A public opinion poll sponsored by Equifax and conducted by Louis 
Harris and Associates documents the importance of privacy to the 
American public. Eighty-five percent agree that protecting the 
confidentiality of people's medical records is absolutely essential or 
very important in national health care reform. The poll shows that most 
Americans believe protecting confidentiality is a higher priority than 
providing health insurance to those who do not have it today, reducing 
paperwork burdens, or providing better data for research. The poll also 
showed that 96 percent of the public agrees that it is important for an 
individual to have the right to obtain a copy of their own medical 
record.
  Health information is a key asset in the health care delivery and 
payment system. Identifiable health information is heavily used in 
research and cost containment, and this usage will only grow over time. 
It is too early to predict what type of health reform legislation will 
be considered in the new Congress, but rules governing the use and 
disclosure of health information are certain to be a key element. My 
legislation is flexible enough to fit into any health reform 
legislation, large or small, or to stand on its own as a separate bill. 
Regardless of how the health delivery and payment system is structured, 
there is and will continue to be a need for a code of fair information 
practices.
  By establishing fair information practices in statute, the long-term 
costs of implementation will be reduced, and necessary protections will 
be built in from the outset. This will assure patients and medical 
professionals that fair treatment of health information is a 
fundamental element of the health care system. Uniform privacy rules 
will also assist in restraining costs by supporting increased 
automation, simplifying the use of electronic data interchange, and 
facilitating the portability of health coverage.
  Today, few medical professionals and fewer patients know the rules 
that govern the use and disclosure of medical information. In a society 
where patients, professionals, and records routinely cross State 
borders, it is rarely worth anyone's time to attempt to learn the rules 
of any one jurisdiction, let alone several jurisdictions. One goal of 
my bill is to change the culture of health records so that 
professionals and patients alike will be able to understand the rights 
and responsibilities of all participants. Common rules and a common 
language will facilitate broader understanding and better protection. 
Professionals will be able to learn the rules once with the confidence 
that the same rules will apply wherever they practice. Patients will 
learn that they have the same rights in every State and in every 
doctor's office.
  There are two basic concepts that are essential to an understanding 
of the new approach. First, identifiable health information that is 
created or used during the medical treatment or payment process becomes 
protected health information, or individually identifiable patient 
information relating to the provision of health care or payment for 
health care. This new terminology emphasizes the sensitivity of the 
information and connotes an obligation to safeguard the data. Protected 
health information generally remains subject to statutory restriction 
no matter how it is used or disclosed.
  The second basic concept is that of a health information trustee. 
Anyone who has access to protected health information under the bill's 
procedures becomes a health information trustee. Trustees have 
different sets of responsibilities and authorities depending on their 
functions. The authorities and responsibilities have been carefully 
defined to balance legitimate societal needs for data against each 
patient's right to privacy and the need for confidentiality in the 
health treatment process. Of course, every health information trustee 
has an obligation to maintain adequate security for protected health 
information.
  The term trustee was selected in order to underscore that those in 
possession of identifiable health information have obligations that go 
beyond their own needs and interests. A doctor who possesses 
information about a patient does not own that information. It is more 
accurate to say that both the record subject and the recordkeeper have 
rights and responsibilities with respect to the information. My 
legislation defines those rights and responsibilities. The concept of 
ownership of personal information maintained by third party record 
keepers is not particularly useful in today's complex world.
  A key element of this system is the specification of the rights of 
patients. Each patient will have a bundle of rights with respect to 
protected health care information about himself or herself that is 
maintained by a health information trustee. In general, a patient will 
have the right to inspect and to have a copy of that information. A 
patient will have the right to seek correction of information that is 
not timely, accurate, relevant, or complete. A patient also has a right 
to expect that any trustee will use and maintain information in 
accordance with the rules in the act. A patient will have a right to 
receive a notice of information practices. The bill establishes 
standards and procedures to make these rights meaningful and effective.

  I want to emphasize that I have not proposed a pie-in-the sky privacy 
code. This is a realistic bill for the real world. I have borrowed 
ideas from others concerned about health records, including the 
American Health Information Management Association, the Workgroup for 
Electronic Data Interchange, and the National Conference of 
Commissioners on Uniform State Laws. Assistance provided last year by 
the American Health Information Management Association was especially 
valuable.
  I believe that everyone recognizes that we do not have the luxury of 
elevating each patient's privacy interest above every other societal 
interest. Such a result would be impractical, unrealistic, and 
expensive. The right answer is to strike an appropriate balance that 
protects each patients's interests while permitting essential uses of 
data under controlled conditions. This should be happening today, but 
recordkeepers do not know their responsibilities, patient rights are 
not always clearly defined, and there are large gaps in legal 
protections for health information. My bill recognizes necessary 
patterns of usage and combines it with comprehensive protections for 
patients. There will be no loopholes in protection for information 
originating in the health treatment or payment process. As the data 
moves to other parts of the health care system and beyond, it will 
remain subject to the Fair Health Information Practices Act of 1995. 
This novel requirement may be the single most important feature of my 
bill.
  The legislation includes a variety of remedies that will help to 
enforce the new standards. For those who willfully ignore the rules, 
there are strong criminal penalties. For patients whose rights have 
been ignored or violated by others, there are civil remedies. There 
will also be administrative sanctions and arbitration to provide 
alternative, less expensive, and more accessible remedies.
  The Fire Health Information Practices Act of 1995 offers a complete 
and comprehensive plan for the protection of the interests of patients 
and the needs of the health care system in the complex modern world of 
health care. More work still needs to be done, and I am committed to 
working with every group and institution that will be affected by the 
new health information rules. I remain open to new ideas that will 
improve the bill.
  In closing, I want to acknowledge the limits of legislation. We must 
recognize and accept the reality that health information is not 
completely confidential. It would be wonderful if we [[Page E64]] could 
restore the old notion that what you tell your doctor in confidence 
remains secrets. In today's complex health care environment, 
characterized by third party payers, medical specialization, high cost 
care, and increasing computerization, this is simply not possible. My 
legislation does not and cannot promise absolute privacy. What it does 
offer is a code of fair information practices for health information.
  The promise of that code to professionals and patients alike is that 
identifiable health information will be fairly treated according to a 
clear set of rules that protect the confidentiality interests of each 
patient to the greatest extent possible. While we may not realistically 
be able to offer any more than this, we surely can do no less for the 
American public.

                          ____________________