[Congressional Record Volume 143, Number 1 (Tuesday, January 7, 1997)]
[Extensions of Remarks]
[Pages E30-E31]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




             FAIR HEALTH INFORMATION PRACTICES ACT OF 1997

                                 ______
                                 

                          HON. GARY A. CONDIT

                             of california

                    in the house of representatives

                        Tuesday, January 7, 1997

  Mr. CONDIT. Mr. Speaker, I have today introduced the Fair Health 
Information Practices Act of 1997. The purpose of this bill is to 
establish a uniform Federal code of fair information practices for 
individually identifiable health information that originates or is used 
in the health treatment and payment process.
  This is the third time that I have introduced a health privacy bill, 
and I hope that the third time is the charm. In the 103d Congress, I 
introduced H.R. 4077. The bill was the subject of several days of 
hearings in 1994. In August 1994, the bill was reported by the 
Committee on Government Operations and became the confidentiality part 
of the overall health care reform effort. While my bill died along with 
the rest of health care reform, it was one of the only noncontroversial 
parts of health reform. In the 104th Congress, I introduced H.R. 435, a 
bill that was identical to the version reported by the Committee on 
Government Operations in 1994. A lengthy explanation of the bill can be 
found in the Government Operations Committee report, House Report 103-
601 part V. That report remains highly relevant to this year's bill as 
well.
  During the last 2 years, most of the action on health privacy took 
place on the Senate side. The leading Senate bill was S. 1360 which was 
introduced by Senator Bennett. His bill and mine have many similarities 
in language and structure, but there are also numerous smaller but 
significant differences. In addition, my bill covers several aspects of 
health privacy that were not included in Senator Bennett's original 
bill. I am aware that several interim drafts were developed by Senator 
Bennett during the course of the Congress, and these drafts narrowed 
some of the differences between our two bills. I look forward to the 
new version of the Senate bill. My bill is largely similar to H.R. 435, 
but I have made several changes based on new ideas and developments 
that emerged in the last 2 years. The substantive changes in this 
year's proposal are:
  (1) References to health information service organizations have been 
dropped. This was a place holder for other institutions that were being 
developed in the context of broad health care reform. The references 
are no longer meaningful.
  (2) The section on ``Accounting for Disclosures'' has been retitled 
as ``Disclosure History.'' Nothing substantive was changed, but the new 
language is more descriptive.
  (3) In section 1.01, I added language to the patient access section 
making it clear that copies of records have to be provided to the 
patient in any form or format requested by the patient if the record is 
readily reproducible by the trustee in that form or format. The 
language was inspired in part by the recently passed Electronic Freedom 
of Information Amendments. The purpose is to make sure that a patient 
can have a record in a format that will be meaningful to the patient or 
useful to other health care providers.
  (4) Also in section 1.01, the exception to patient access for mental 
health treatment notes has been eliminated. The policy of the bill is 
that a patient should have broad access to his or her health record. 
Exceptions are provided only when there is a direct conflict with 
another interest or when access is meaningless or pointless. The only 
substantive exception had been for mental health treatment notes. Given 
the broad sweep of the access provision, I am not sure that this 
exception can be justified any more. I left it out this year so that 
the advocates of the exception would have to come forward to argue for 
its inclusion and make their case on the public record.
  (5) New language in section 301(d) creates an Office of Information 
Privacy in the Department of Health and Human Services. The head of the 
office is the Privacy Advisor to the Department. This is not really a 
new office. The Department recently established a private Advocate. The 
purpose of the new legislative language is to define the health privacy 
functions of this office with more precision and permanence.
  (6) Section 304 of the bill deals with preemption of State laws. This 
is a difficult subject that clearly need more work and thought. I added 
one new idea this year. New language provides that the States may 
impose additional requirements on its own agencies with respect to the 
use or disclosure of protected health information. The idea is a simple 
one. If a State wants to impose more stringent restrictions on the 
ability of State police, State fraud investigators, or other State 
offices to use or disclose protected health information, it may do so.
  In this instance, higher standards will not interfere with access to 
or use of information by other authorized users or by the Federal 
Government. The goal is to allow States to set as high a floor as they 
choose with respect to their own activities. This will not undermine 
the uniformity principle otherwise reflected in the bill, and it will 
not affect the drive for administrative simplification or uniform 
technical standards. Only State agencies will be affected by my new 
language. I thought that this

[[Page E31]]

idea was worth including so that it would attract comment. The language 
itself may need further tweaking.
  The need for uniform Federal health confidentiality legislation is 
clear. In a report titled ``Protecting Privacy in Computerized Medical 
Information,'' the Office of Technology Assessment found that the 
present system of protecting health care information is based on a 
patchwork quilt of laws. State laws vary significantly in scope and 
Federal laws are applicable only to limited kinds of information or to 
information maintained only by the Federal Government. Overall, OTA 
found that the present legal scheme does not provide consistent, 
comprehensive protection for privacy in health care information, 
whether that information exists in a paper or computerized environment. 
A similar finding was made by the Institute of Medicine in a report 
titled ``Health Data in the Information Age.''
  A public opinion poll sponsored by Equifax and conducted by Louis 
Harris and Associates documents the importance of privacy to the 
American public. Eighty-five percent agree that protecting the 
confidentiality of people's medical records is absolutely essential or 
very important in national health care reform. The poll shows that most 
Americans believe protecting confidentiality is a higher priority than 
providing health insurance to those who do not have it today, reducing 
paperwork burdens, or providing better data for research. The poll also 
showed that 96 percent of the public agrees that it is important for an 
individual to have the right to obtain a copy of their own medical 
record.
  Health information is a key asset in the health care delivery and 
payment system. Identifiable health information is heavily used in 
research and cost containment, and this usage will only grow over 
time. The Health Insurance Portability and Accountability Act of 1996 
passed in the last Congress recognized that confidentiality legislation 
was essential to the fair management of health information. The law 
established a 3-year timetable for congressional action on 
confidentiality. That clock is ticking already, and we don't have much 
time to waste.

  By establishing fair information practices in statute, the long-term 
costs of implementation will be reduced, and necessary protections will 
be uniform. This will assure patients and health professionals that 
fair treatment of health information is a fundamental element of the 
health care system. Uniform privacy rules will also assist in 
restraining costs by supporting increased automation, simplifying the 
use of electronic data interchange, and facilitating the portability of 
health coverage.
  Today, few professionals and fewer patients know the rules that 
govern the use and disclosure of medical information. In a society 
where patients, providers, and records routinely cross State borders, 
it is rarely worth anyone's time to attempt to learn the rules of any 
one jurisdiction, let alone several jurisdictions. One goal of my bill 
is to change the culture of health records so that everyone will be 
able to understand the rights and responsibilities of all participants. 
Common rules and a common language will facilitate broader 
understanding and better protection. Physicians will be able to learn 
the rules once with the confidence that the same rules will apply 
wherever they practice. Patients will learn that they have the same 
rights in every State and in every doctor's office.
  There are two basic concepts that are essential to an understanding 
of the bill. First, identifiable health information that is created or 
used during the health care treatment or payment process becomes 
protected health information, or individually identifiable patient 
information relating to the provision of health care or payment for 
health care. This new terminology emphasizes the sensitivity of the 
information and connotes an obligation to safeguard the data. Protected 
health information generally remains subject to statutory restriction 
no matter how it is used or disclosed.
  The second basic concept is that of a health information trustee. 
Anyone who obtains access to protected health information under the 
bill's procedures becomes a health information trustee. Trustees have 
different sets of responsibilities and authorities depending on their 
functions. The authorities and responsibilities have been carefully 
defined to balance legitimate societal needs for data against each 
patient's right to privacy and the need for confidentiality in the 
health treatment process. Of course, every health information trustee 
has an obligation to maintain adequate security for protected health 
information.
  The term trustee was selected in order to underscore that those in 
possession of identifiable health information have obligations that go 
beyond their own needs and interests. A physician who possesses 
information about a patient does not own that information. It is more 
accurate to say that both the record subject and the record keeper have 
rights and responsibilities with respect to the information. My 
legislation defines those rights and responsibilities. The concept of 
ownership of personal information maintained by third-party record 
keepers is not particularly useful in today's complex world.
  A key element of this system is the specification of the rights of 
patients. Each patient will have a bundle of rights with respect to 
protected health care information about himself or herself that is 
maintained by a health information trustee. A patient will have the 
right to seek correction of information that is not timely, accurate, 
relevant, or complete. A patient will also have the right to expect 
that every trustee will use and maintain information in accordance with 
the rules in the Act. A patient will have a right to receive a notice 
of information practices. The bill establishes standards and procedures 
to make these rights meaningful and effective.

  I want to emphasize that I have not proposed a pie-in-the-sky privacy 
code. This is a realistic bill for the real world. I have borrowed 
ideas from others concerned about health records, including the 
American Health Information Management Association, the Workgroup for 
Electronic Data Interchange, and the National Conference of 
Commissioners on Uniform State Laws. Assistance provided by the 
American Health Information Management Association [AHIMA] was 
especially helpful in the development of this legislation several years 
ago. AHIMA remains a valuable source of knowledge on health records 
policies and an ardent supporter of Federal health privacy legislation.
  I believe that we do not have the luxury of elevating each patient's 
privacy interest above every other societal interest. Such a result 
would be impractical, unrealistic, and expensive. The right answer is 
to strike an appropriate balance that protects each patient's interests 
while permitting essential uses of data under controlled conditions. 
This should be happening today, but record keepers do not know their 
responsibilities, patients rights are not always clearly defined, and 
there are large gaps in legal protections for health information.
  My bill recognizes necessary patterns of usage and combines it with 
comprehensive protections for patients. There will be no loopholes in 
protection for information originating in the health treatment or 
payment process. As the data moves to other parts of the health care 
system and beyond, it will remain subject to the Fair Health 
Information Practices Act of 1997. This may be the single most 
important feature of the bill.
  The legislation includes several remedies that will help to enforce 
the new standards. For those who willfully ignore the rules, there are 
strong criminal penalties. For patients whose rights have been ignored 
or violated by others, there are civil remedies. There will also be 
administrative sanctions and arbitration to provide alternative, less 
expensive, and more accessible remedies.
  The Fair Health Information Practices Act of 1997 offers a complete 
and comprehensive plan for the protection of the interests of patients 
and the needs of the health care system in the complex modern world of 
health care. More work still needs to be done, and I am committed to 
working with every group and institution that will be affected by the 
new health information rules. I remain open to new ideas that will 
improve the bill.
  In closing, I want to acknowledge the limits of legislation. We must 
recognize and accept the reality that health information is not 
completely confidential. It would be wonderful if we could restore the 
old notion that what you tell your doctor in confidence remains 
absolutely secret. In today's complex health care environment, 
characterized by third party payers, medical specialization, high-cost 
care, and increasing computerization, this is simply not possible. My 
legislation does not and cannot promise absolute privacy. What it does 
not offer is a code of fair information practices for health 
information.
  The promise of that code to professionals and patients alike is that 
identifiable health information will be fairly treated according to a 
clear set of rules that protect the confidentiality interests of each 
patient to the greatest extent possible. While we may not realistically 
be able to offer any more than this, we surely can do no less for the 
American public.

                          ____________________