[Congressional Record Volume 141, Number 165 (Tuesday, October 24, 1995)]
[Senate]
[Pages S15576-S15579]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BENNETT (for himself, Mr. Dole, Mr. Leahy, Mrs. Kassebaum, 
        Mr. Kennedy, Mr. Frist, Mr. Simon, Mr. Hatch, Mr. Gregg, Mr. 
        Stevens, Mr. Jeffords, Mr. Kohl, Mr. Daschle, and Mr. 
        Feingold):
  S. 1360. A bill to ensure personal privacy with respect to medical 
records and health care-related information, and for other purposes; to 
the Committee on Labor and Human Resources.


            the medical records confidentiality act of 1995

 Mr. BENNETT. Mr. President, today I am introducing the Medical 
Records Confidentiality Act of 1995. This legislation is one of the 
many small steps that are needed to reform our health care system. I am 
pleased that a number of my Republican and Democratic colleagues have 
joined me in cosponsoring this legislation.

[[Page S 15577]]

  I can think of few other areas in our lives that are more personal 
and private than is our medical history. Each of us has a relationship 
with our doctors, nurses, pharmacists, and other health care 
professionals that is unique and privileged. They may know things about 
us that we choose not to tell our spouses, children, siblings, parents, 
or our closest friends. While our medical records may contain nothing 
out of the ordinary, to us these records should be strictly personal.
  S. 1360 aims, first, to provide Americans with greater control over 
their medical records in terms of confidentiality, access, and 
security, and second, to provide the health care system with a Federal 
standard for handling identifiable health information.
  Most Americans believe their medical records are protected in terms 
of confidentiality under Federal law. Most Americans are mistaken. 
Protecting the confidentiality of our medical records is an expectation 
that is yet to be guaranteed as a right. This legislation is an 
opportunity for Congress to act in a bipartisan manner to resolve an 
important problem within our health care system. Today over 80 percent 
of our medical records are paper based; however, in the not too distant 
future all of our medical records will be electronic based.
  In my opinion and in the opinion of a number of outside groups such 
as the Center for Democracy and Technology, American Health Information 
Management Association, International Business Machines Corporation, 
Blue Cross and Blue Shield Association, and the American Hospital 
Association, it is time to put into place the safeguards and security 
measures needed to protect the integrity and confidentiality of our 
medical records.
  Patients should be assured that the treatment they receive is 
a matter between themselves and their doctor, regardless if it's a 
yearly physical, psychiatric evaluation, plastic surgery, or cancer 
treatment. The majority of patients agree that treatment and billing 
are the two appropriate uses of medical records. This legislation 
provides patients the right to limit disclosure of medical records for 
purposes other than treatment and billing and requires separate 
authorization forms for treatment, billing and other kinds of 
disclosures. It also requires providers to keep a record of those to 
whom they disclose information.

  In the hospital, most patients are unaware that their records are 
accessible to almost any health care provider walking into their room 
or almost any hospital employee with a computer who can gain access to 
the hospital's computer system. There are a number of doctors and 
nurses who refuse to be treated in the hospital where they practice 
medicine because they know that with a stroke of a keyboard their 
colleagues will know why they are in the hospital and know they are 
being treated.
  One of the most important issues this legislation addresses is that 
of access to personal medical records. It is difficult for most of us 
to understand that in many instances individuals may have great 
difficulty gaining access to their own medical records. There are no 
Federal laws regarding access to medical records and only a few States 
allow patients the right to review and copy their medical records. In 
many instances, if the medical record is incorrect the patient never 
has the opportunity to address those errors. This legislation would 
allow individuals not only access to their records but also the 
opportunity to address any errors.
  This legislation will enable organizations and entities involved in 
providing health care, or who act as contractors or agents to 
providers, to abide by one standard for confidentiality. Our health 
care system grows more complex and sophisticated with each year. Having 
one standard will simplify the business of health care, reduce the cost 
of complying with 50 state standards and allow the continuation of 
research that will improve the efficiency of our health care system.
  Currently, the only protection of medical records is under state 
laws. At this time there are 34 States with 34 different laws to 
protect these records. Only 28 States provide patients with access to 
their medical records. My own State of Utah does not have a 
comprehensive law to protect medical records or provide access. Given 
the transient nature of our society and that fact that more than 50 
percent of the population live on a State boarder, it is vital that 
we provide a national standard for the protection of medical records.

  It is unfair to both the patients and the providers of medical 
services not to clearly and concisely outline the rights of the patient 
and define the standards of disclosure. The effort to provide Federal 
protection of medical records has continued for the last 20 years. Many 
of the outside groups that have provided assistance to me and my staff 
have been involved for many of these years. Those groups that have 
provided assistance include patient right advocates, health care 
providers, electronic data services, insurance companies, health 
researchers, States, health record managers--to name just a few. I am 
grateful to them for their assistance and expertise; without their 
efforts we would not be here today.
  I want to express my appreciation to the two leaders, Senators Dole 
and Daschle for their support as cosponsors. I am very pleased to have 
Chairwoman Kassebaum and the ranking minority member, Senator Kennedy 
of Labor and Human Resources Committee as cosponsors. I want to express 
my appreciation to Senator Leahy for his efforts on this legislation. 
He has been a supporter of this legislation for a number of years and I 
appreciate his cosponsorship I am also pleased to add Senators Hatch, 
Frist, Jeffords, Stevens, Gregg, Simon, Kohl, and Feingold as original 
cosponsors. I hope the Senate will act swiftly to hold hearings and to 
move this legislation through the committee process to the Senate floor 
for final consideration. I would urge my colleagues to support this 
legislation and would welcome their cosponsorship.
 Mrs. KASSEBAUM. Mr. President, I rise today to join Senator 
Bennett, the distinguished majority leader, Senators Hatch, Kennedy, 
Frist, Leahy, Simon, and others in introducing the Medical Records 
Confidentiality Act of 1995.
  We have spent a great deal of time and energy these last several 
months--and will spend even more time during the coming weeks--debating 
changes to the Medicare and Medicaid programs. As we debate these 
changes, the private health care system continues to literally 
transform itself overnight.
  While health providers still wrestle with multiple paper forms and 
bulky files, increasingly health information and data is digitally 
transmitted to multiple databases by high-speed computers over fiber-
optic networks. Many Americans believe their private medical records 
are safely stored in doctors' offices and hospitals. Yet, the evolving 
health care delivery system and the technological infrastructure 
necessary to support it has left gaping holes in the patchwork of 
current State privacy laws and threatened the confidentiality of 
private medical information.
  Let me give just one example that highlights both the promise and the 
peril of medical information. Recent advances have allowed researchers 
to identify a growing number of genetic characteristics that place 
individuals at higher-than-average risk for developing disease. While 
genetic research provides tremendous opportunities to help us better 
treat and manage illness, disclosure of genetic information also may 
place individuals at a greater risk of discrimination in obtaining 
health coverage for themselves and their families.
  The Medical Records Confidentiality Act takes a balanced approach to 
encouraging the continued development of a world-class health 
information infrastructure while, at the same time, assuring Americans 
that their sensitive medical records are protected. The legislation is 
designed to provide all patients with Federal safeguards for their 
medical records, whether in paper or electronic form, and to provide 
doctors, hospitals, insurance companies, managed care companies, and 
other entities that have access to medical records with clear Federal 
rules governing when and to whom they may disclose health information.
  Mr. President, I applaud Senator Bennett for taking on such a complex 
and important issue. I look forward to working with him, and with my 
colleagues on the Senate Committee on Labor and Human Resources, to see 


[[Page S 15578]]
that this very important piece of legislation is enacted during the 
104th Congress.
  Mr. LEAHY. Mr. President, today I join in introducing the Medical 
Records Confidentiality Act of 1995, with Senator Bennett, our 
distinguished colleague from Utah.
  For the past several years, I have been engaged in efforts to make 
sure that Americans' expectations of privacy for their medical records 
are fulfilled. That is the purpose of this bill.
  I do not want advancing technology to lead to a loss of personal 
privacy and do not want the fear that confidentiality is being 
compromised to stifle technological or scientific development.
  The distinguished Republican majority leader put his finger on this 
problem last year when he remarked that a compromise of privacy that 
sends information about health and treatment to a national data bank 
without a person's approval would be something that none of us would 
accept. We should proceed without further delay to enact meaningful 
protection for our medical records and personal and confidential health 
care information.
  I have long felt that health care reform will only be supported by 
the American people if they are assured that the personal privacy of 
their health care information is protected. Indeed, without confidence 
that one's personal privacy will be protected, many will be discouraged 
from seeking help from our health care system or taking advantage of 
the accessibility that we are working so hard to protect.
  The American public cares deeply about protecting their privacy. This 
has been demonstrated recently in the American Civil Liberties Union 
Foundation's benchmark survey on privacy entitled ``Live and Let Live'' 
wherein three out of four people expressed particular concern about 
computerized medical records held in databases used without the 
individual's consent. A public opinion poll sponsored by Equifax and 
conducted by Louis Harris indicated that 85 percent of those surveyed 
agreed that protecting the confidentiality of medical records is 
extremely important in national health care reform. I can assure you 
that if that poll had been taken in Vermont, it would have come in at 
100 percent or close to it.
  Two years ago, I began a series of hearings before the Technology and 
the Law Subcommittee of the Judiciary Committee. I explored the 
emerging smart card technology and opportunities being presented to 
deliver better and more efficient health care services, especially in 
rural areas. Technology can expedite care in medical emergencies and 
eliminate paperwork burdens. But it will only be accepted if it is used 
in a secure system protecting confidentiality of sensitive medical 
conditions and personal privacy. Fortunately, improved technology 
offers the promise of security and confidentiality and can allow levels 
of access limited to information necessary to the function of the 
person in the health care treatment and payment system.
  In January 1994, we continued our hearings before that Judiciary 
Subcommittee and heard testimony from the Clinton administration, 
health care providers and privacy advocates about the need to improve 
upon privacy protections for medical records and personal health care 
information.
  In testimony I found among the most moving I have experienced in more 
than 20 years in the Senate, the subcommittee heard first hand from 
Representative Nydia Velazquez, our House colleague who had sensitive 
medical information leaked about her. She and her parents woke up to 
find disclosure of her attempted suicide smeared across the front pages 
of the New York tabloids. If any of us have reason to doubt how hurtful 
a loss of medical privacy can be, we need only talk to our House 
colleague.
  Unfortunately, this is not the only horrific story of a loss of 
personal privacy. I have talked with the widow of Arthur Ashe about her 
family's trauma when her husband was forced to confirm publicly that he 
carried the AIDS virus and how the family had to live its ordeal in the 
glare of the media spotlight.
  We have also heard testimony from Jeffrey Rothfeder who described in 
his book ``Privacy for Sale'' how a freelance artist was denied health 
coverage by a number of insurance companies because someone had 
erroneously written in his health records that he was HIV-positive.
  The unauthorized disclosure and misuse of personal medical 
information have affected insurance coverage, employment opportunities, 
credit, reputation, and a host of services for thousands of Americans. 
Let us not miss this opportunity to set the matter right through 
comprehensive Federal privacy protection legislation.
  As I began focusing on privacy and security needs, I was shocked to 
learn how catch-as-catch-can is the patchwork of State laws protecting 
privacy of personally identifiable medical records. A few years ago we 
passed legislation protecting records of our videotape rentals, but we 
have yet to provide even that level of privacy protection for our 
personal and sensitive health care data.
  Just yesterday the Commerce Department released a report on Privacy 
and the NII. In addition to financial and other information discussed 
in that report, there is nothing more personal than our health care 
information. We must act to apply the principles of notice and consent 
to this sensitive, personal information.
  Now is the time to accept the challenge and legislate so that the 
American people can have some assurance that their medical histories 
will not be the subject of public curiosity, commercial advantage or 
harmful disclosure. There can be no doubt that the increased 
computerization of medical information has raised the stakes in privacy 
protection, but my concern is not limited to electronic files.
  As policymakers, we must remember that the right to privacy is one of 
our most cherished freedoms--it is the right to be left alone and to 
choose what we will reveal of ourselves and what we will keep from 
others. Privacy is not a partisan issue and should not be made a 
political issue. It is too important.
  I am encouraged by the fact that the Clinton administration clearly 
understands that health security must include assurances that personal 
health information will be kept private, confidential and secure from 
unauthorized disclosure. Early on the administration's health care 
reform proposals provided that privacy and security guidelines would be 
required for computerized medical records. The administration's Privacy 
Working Group of its NII task force has been concerned with the 
formulation of principles to protect our privacy. In these regards, the 
President is to be commended.
  The difficulties I had with the initial provisions of the Health 
Security Act, were the delay in Congress' consideration of 
comprehensive privacy legislation for several more years and the lack 
of a criminal penalty for unauthorized disclosure of someone's medical 
records.
  Accordingly, back in May 1994, I introduced a bill to provide a 
comprehensive framework for protecting the privacy of our medical 
records from the outset rather than on a delayed basis. That bill was 
the Health Care Privacy Protection Act of 1994, S. 2129. I was 
delighted to receive support from a number of diverse quarters. We were 
able to incorporate provisions drawn from last year's Health Care 
Privacy Protection bill into those reported by the Labor and Human 
Resources Committee and the Finance Committee. These provisions were, 
likewise, incorporated in Senator Dole's bill and Senator Mitchell's 
bills, indicating that the leadership in both parties acknowledges the 
fundamental importance of privacy.
  Although Congress failed in its attempt to enact meaningful health 
care reform last Congress, we can and should proceed with privacy 
protection--whether or not a comprehensive health care reform package 
is resurrected this year. I am proud to say that the Medical Records 
Confidentiality Act that Senator Bennett and I are introducing today, 
derives from the work we have been doing over the last several years. I 
am delighted to have contributed to this measure and look forward to 
our bipartisan coalition working for enactment of these important 
privacy protections.
  Our bill establishes in law the principle that a person's health 
information is to be protected and to be kept confidential. It creates 
both criminal 

[[Page S 15579]]
and civil remedies for invasions of privacy for a person's health care 
information and medical records and administrative remedies, such as 
debarment for health care providers who abuse others' privacy.
  This legislation would provide patients with a comprehensive set of 
rights of inspection and an opportunity to correct their own records, 
as well as information accounting for disclosures of those records.
  The bill creates a set of rules and norms to govern the disclosure of 
personal health information and narrows the sharing of personal details 
within the health care system to the minimum necessary to provide care, 
allow for payment and to facilitate effective oversight. Special 
attention is paid to emergency medical situations, public health 
requirements, and research.
  We have sought to accommodate legitimate oversight concerns so that 
we do not create unnecessary impediments to health care fraud 
investigations. Effective health care oversight is essential if our 
health care system is to function and fulfill its intended goals. 
Otherwise, we risk establishing a publicly sanctioned playground for 
the unscrupulous. Health care is too important a public investment to 
be the subject of undetected fraud or abuse.
  I look forward to working with my colleagues both here in the Senate 
and in the House as we continue to refine this legislation. I want to 
thank all of those who have been working with us on the issue of health 
information privacy and, in particular, wish to commend the Vermont 
Health Information Consortium, the Center for Democracy and Technology, 
the American Health Information Management Association, the American 
Association of Retired Persons, the AIDS Action Council, the Bazelon 
Center for Mental Health Law, the Legal Action Center, IBM Corp. and 
the Blue Cross and Blue Shield Association for their tireless efforts 
in working to achieve a significant consensus on this important matter.
  With Senator Bennett's leadership and the longstanding commitment to 
personal privacy shared by Chairman Kassebaum and Senator Kennedy, I 
have every confidence that the Senate will proceed to pass strong 
privacy protection for medical records. With continuing help from the 
administration, health care providers and privacy advocates we can 
enact provisions to protect the privacy of the medical records of the 
American people and make this part of health care security a reality 
for all Americans.
                                 ______