[Congressional Record Volume 143, Number 152 (Tuesday, November 4, 1997)]
[Senate]
[Pages S11689-S11691]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself and Mr. Kennedy):
  S. 1368. A bill to provide individuals with access to health 
information of which they are the subject, ensure personal privacy with 
respect to personal medical records and health care-related 
information, impose criminal and civil penalties for unauthorized use 
of personal health information, and to provide for the strong 
enforcement of these rights; to the Committee on Labor and Human 
Resources.


                the medical records privacy act of 1997

  Mr. LEAHY. Mr. President, the time has come for Congress to enact a 
strong and effective federal law to protect the privacy of medical 
records.

  To address this need, today, Senator Kennedy and I are introducing 
the Medical Information Privacy and Security Act (MIPSA).
  Americans strongly believe that their personal, private medical 
records

[[Page S11690]]

should be kept private. The time-honored ethics of the medical 
profession also reflect this principle. The physicians' oath of 
Hippocrates requires that medical information be kept ``as sacred as 
secrets.''
  A guiding principle in drafting this legislation is that the movement 
to more a integrated system of health care in our country will only 
continue to be supported by the American people if they are assured 
that the personal privacy of their health care information is 
protected. In fact, without the confidence that one's personal privacy 
will be protected, many will be discouraged from seeking medical help.
  I am encouraged that a variety of public policy and health 
professional organizations, across the political spectrum, are 
signaling their intentions to step forward to join forces with 
consumers during this debate.
  For the American public, and for the Congress, this debate boils down 
to a fundamental question: Who controls our medical records, and how 
freely can others use them?
  Many of us in this chamber quickly criticized the Social Security 
Administration and the IRS regarding the security of computer records. 
We blasted the IRS for allowing employees to randomly scan through our 
personal financial records.
  If we are concerned about IRS employees looking at our tax records, 
should we not be concerned about the millions of employers, insurers, 
pharmaceutical companies, government agencies and others who have 
nearly unfettered access to the personal medical records of more than 
250 million Americans?
  All of us are health care consumers--every individual and every 
American family. As Congress works toward answering this question, the 
privacy interests of the American public will be at odds with powerful 
economic interests and with the penchant for large organizations and 
complex systems to control this kind of personal information. Well-
funded and sharply focused special interests often win in a match-up 
like this.
  Senator Bob Dole, the former majority leader of the Senate, put his 
finger on this problem when he observed that a ``compromise of 
privacy'' that sends information about health and treatment to a 
national data bank without a person's approval would be something that 
none of us would accept.
  Unfortunately, this nightmare that Senator Dole envisioned is being 
brought to life by provisions insisted upon by the House in last year's 
health insurance portability bill that require a system of health care 
information exchanges by computers and through computer clearinghouses 
and data networks.
  We are now confronted with the fact that the computerization of 
health care record provisions are going into effect in the next few 
months but we are still contemplating the delay of promulgating privacy 
protection until August of 1999, unless Congress acts sooner.
  The Information Age opens the door to endless new possibilities and 
has empowered individuals with marvelous new tools and freedoms. But 
technology is our servant; we should not let it become our master. 
Unless we are vigilant, the Information Age can overwhelm our privacy 
rights before we even know it has happened.
  I do not want advancing technology to lead to a loss of personal 
privacy and do not want the fear that confidentiality is being 
compromised to deter people from seeking medical treatment or stifle 
technological or scientific development.
  The outlines of the challenge we face in stemming the erosion of 
medical privacy are already clear. Insurance companies have set up 
their Medical Information Bureau (MIB) which stores personal medical 
information on millions of Americans. M.I.B. may have personal 
information on all of us in Congress and our families.
  Managed care companies, HMOs, drug companies, and hospitals are 
spending up to $15 billion a year on information technology to acquire 
and exchange vast amounts of medical information about Americans.
  While this in and of itself may not be the issue--the question is how 
and why is it being collected and for what specific use is this 
information being used and do individuals know about this? Patients 
should be advised about the existence of data bases in which medical 
information concerning the patients is stored.
  This information can be very useful for quality assurance, and to 
provide more cost effective health care. But I am not certain that the 
American public would agree with a recent Fortune magazine article 
which lauded a health insurer that poked through the individual medical 
records of clients to figure out who may be depressed and could benefit 
from the use of the anti-depressant Prozac. Are we now encouraging 
replacing sound clinical judgment of doctors with health insurance 
clerks who look at records to determine whether you are not really 
suffering from a physical illness, but a mental illness?
  Contrary to some, I believe that computerization can assure more 
privacy to individuals than the current system if my legislation is 
enacted. But if we do not act the increased potential for embarrassment 
and harassment is tremendous.
  There are many more stories which highlight the problems that are out 
there due with the lack of privacy and security of individuals medical 
records, unfortunately so many other breaches of privacy are more 
subtle.
  Singer Tammy Wynette entered the hospital in 1995 for a bile duct 
problem. She used a pseudonym, but a hospital staff member broke into 
her computerized medical records and sold the information to the press, 
supposedly for thousands of dollars. The sensational National Enquirer 
then erroneously reported that Wynette was near death and in need of a 
liver transplant.
  A current Member of Congress had her medical records faxed to the New 
York Post on the eve of her primary. In 1994, she offered eloquent 
testimony before Congress detailing her ordeal.
  In another example, an insurance agent advised a couple that they 
would be denied coverage for any more pregnancies since they had a 25 
percent chance that their children would have a fatal disease.
  In Florida, a state public health worker improperly brought home a 
computer disk with the names of 4,000 HIV positive patients. The disks 
were then sent to two Florida newspapers.
  Medical privacy issues in today's world also take on international 
implications. Canada and the nations of Europe are taking concrete 
steps to protect the confidentiality of computerized medical records.
  Our nation lags so far behind others in its protection of medical 
records that companies in Europe may not be allowed to send medical 
information to the United States electronically. European countries--
through an EU privacy directive--are ensuring that private medical 
records are kept private. The EU prohibits the transfer of personal 
information from Europe to the U.S. if the EU finds U.S. privacy law 
inadequate. The implications for U.S. trade are staggering.
  The legislation we are introducing today addresses the issues I have 
outlined to close the existing gaps in federal privacy law to cover 
personally identifiable health information.
  MIPSA is broad in scope--it applies to medical records in whatever 
form--paper or electronic. It applies to each release of medical 
information--including re-releases. It comprehensively covers entities 
other than just health care providers and payers, such as life 
insurance companies, employers and marketers and others that may have 
access to sensitive personal health data.
  It establishes a clear and enforceable right of privacy with respect 
all personally identifiable medical information including information 
regarding the results of genetic tests.
  It gives individuals the right to inspect, copy and supplement their 
protected health information. Today, only 28 states grant this right.
  It allows individuals to segregate portions of their medical records, 
such as mental health records, from broad viewing by individuals who 
are not directly involved in their care.
  It gives individuals a civil right of action against anyone who 
misuses their personally identifiable health information. It 
establishes criminal and civil penalties that can be invoked if 
individually identifiable health information is knowingly or 
negligently misused.

[[Page S11691]]

  It sets up a national office of health information privacy to aid 
consumers in learning about their rights and how they may seek recourse 
for violations of their rights.
  It creates a set of rules and norms to govern the disclosure of 
personal health information and narrows the sharing of personal details 
within the health care system to the minimum necessary to provide care, 
allow for payment and to facilitate effective oversight. Special 
attention is paid to situations such as emergency medical care and 
public health requirements.
  We have tried to accommodate legitimate oversight concerns so that we 
do not create unnecessary impediments to health care fraud 
investigations. Effective health care oversight is essential if our 
health care system is to function and fulfill its intended goals. 
Otherwise, we risk establishing a publicly-sanctioned playground for 
the unscrupulous. Health care is too important a public investment to 
be the subject of undetected fraud or abuse.
  MIPSA also extends to all research facilities using personally 
identifiable information the current requirements met by federally 
funded researchers. I am troubled that research is viewed by some as an 
area where privacy rights should be sacrificed and consent not required 
for use of individually identifiable health information. If there are 
to be any exceptions in a federal medical privacy law for research 
using personally identifiable health information, the Congress and the 
American people need to understand better why this may be necessary. To 
address this concern our bill mandates an evaluation of the waiver of 
informed consent that is allowed under current regulations.
  It does not preempt state laws that are more protective of privacy. 
This is consistent with all other federal civil rights and privacy 
laws.
  It prohibits law enforcement agents from searching through medical 
records without a warrant. It does not limit law enforcement agents to 
gain information while in hot pursuit of a suspect.
  I know that these are important matters about which many of us feel 
very strongly. It is never easy to legislate about privacy.
  I invite other Members of Congress, federal agencies and outside 
interest groups to examine the legislation we have introduced today. 
This bill is a work in progress and we welcome any comments or 
suggestions to make improvements to this legislation.
  I am pleased that my colleague from Vermont, the Chairman of the 
Labor and Human Resources Committee, Senator Jeffords, has already held 
two hearings this year on the issue of medical privacy. The clock, 
however, is ticking and other Members of Congress need to join us to 
move forward to pass strong and workable medical privacy legislation.
  As policy makers, we must remember that the right to privacy is one 
of our most cherished freedoms--it is the right to be left alone and to 
choose what we will reveal of ourselves and what we will keep from 
others. Privacy is not a partisan issue and should not be made a 
political issue. It is too important.
                                 ______