[Congressional Record Volume 145, Number 38 (Wednesday, March 10, 1999)]
[Senate]
[Pages S2506-S2507]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY (for himself, Mr. Kennedy, Mr. Daschle, and Mr. 
        Dorgan):
  S. 573. A bill to provide individuals with access to health 
information of which they are a subject, ensure personal privacy with 
respect to health-care-related information, impose criminal and civil 
penalties for unauthorized use of protected health information, to 
provide for the strong enforcement of these rights, and to protect 
States' rights; to the Committee on Health, Education, Labor, and 
Pensions.


              Medical Information Privacy and Security Act

  Mr. LEAHY. Mr. President, today, I am pleased to be joined by 
Senators Kennedy, Daschle and Dorgan in introducing the Medical 
Information Privacy and Security Act (MIPSA). I am also pleased that a 
companion bill will be introduced in the House by Congressman Edward 
Markey.
  The Millennium Bug is not the only computer-related problem Congress 
confronts this year. We face the deadline that Congress set for itself 
of August 21, 1999, to solve the multitude of privacy glitches in the 
handling of our medical records.
  At a time when some states are selling driving license photos and 
information, when our leading computer chip and software companies have 
built secret identifiers into their products to trace our every move in 
cyberspace without our consent, it is time for Congress to wake up to 
the privacy rights and expectations of all Americans before it is too 
late.
  The trouble is this: If you have a medical record, you have a medical 
privacy problem.
  A guiding principle in drafting this legislation has been that the 
movement to a more integrated system of health care in our country will 
only continue to be supported by the American people if they are 
assured that the personal privacy of their health care information is 
protected. In fact, without the confidence that one's personal privacy 
will be protected, many will be discouraged from seeking medical help.
  Most of us envision that our medical records are held in a manila 
file folder under the watchful care of our health care provider. If 
this is what you are picturing, you are sorely mistaken. Increased 
computerization of medical records and other health information is 
fueling both the supply and demand for our personal information. I do 
not want advancing technology to lead to a loss of personal privacy, 
and I do not want the fear that confidentiality is being compromised to 
deter people from seeking medical treatment or to stifle technological 
or scientific development.
  The traditional right of confidentiality between a health care 
provider and a patient is at risk. This erosion may reduce the 
willingness of patients to confide in physicians and other 
practitioners and may inhibit patients from seeking care.
  Unlike some, I believe that computerization can assure more privacy 
to individuals than the current system, if MIPSA is enacted. But if we 
do not act the increased potential for embarrassment and harassment is 
tremendous.
  The ability to compile, store and cross reference personal health 
information has made our intimate health history a valuable commodity. 
In 1996 alone, the health care industry spent an estimated $10 to $15 
billion on information technology.
  This data can be very useful for quality assurance, and to provide 
more cost effective health care. But I doubt that the American public 
would agree with a Fortune magazine article which lauded a health 
insurer that poked through the individual medical records of clients to 
figure out who may be depressed and could benefit from the use of the 
anti-depressant Prozac. Are we now encouraging the replacement of sound 
clinical judgment of doctors with health insurance clerks who look at 
records to determine whether you are not really suffering from a 
physical illness, but a mental illness?
  Just a few days ago The Wall Street Journal wrote about a company 
that is ``seeking the mother lode in health `data mining.' '' This 
company wants to get medical data on millions of Americans to sell to 
any buyer. Currently there are no laws constraining the creation of 
large data bases filled with sensitive personally identifiable 
information on any of us. Our information is like gold to these ``data 
miners.''
  If this battle is between American families who want some privacy and 
big business buying access to their personal medical records, I will 
stand with American families every time.
  Last year, an article in the Washington Post described the story of a 
woman whose prescription purchases were tracked electronically by a 
pharmacy benefits management company two states away, hired by her 
employer. With every swipe of her prescription-drug card she saved 50% 
on her prescriptions. At the same time, however, without her knowledge 
her sensitive health information was being compiled. Her doctor was 
soon informed that she would be enrolled in a ``depression program,'' 
watched for continued use of anti-depression medications, and be 
targeted for ``educational'' material on depression. All of this was 
done at the behest of her employer who had unfettered access to all of 
her personal health information.
  This woman was not suffering from a depression-related illness; her 
doctor prescribed the medication to help her sleep. This woman had no 
idea that by signing up for her managed care plan she was signing up to 
have her personal health information disclosed to individuals she had 
never even met.
  Employer access to personal health information of their workers is a 
real problem. A recent University of Illinois study found that 35 
percent of all Fortune 500 companies regularly review health 
information before making hiring decisions. On-work-site health care 
providers have testified before Congress that they are routinely 
pressured for employee health information and must comply or lose their 
jobs.
  What MIPSA makes clear is that there must be a ``fire wall'' between 
those within a company involved in providing health services and 
benefits, and other managers. The goal of privacy legislation is to be 
the first line of defense, so that individuals are not put in the 
situation of possibly being discriminated against. Our bill complements 
other laws and proposed legislation that bar discrimination based on 
health status.
  We must not let privacy slide to the point that the only way for a 
person to ensure confidentiality is to avoid seeking medical treatment.

  The simple fact is that many patients will not agree to participate 
in health research or to be tested if they fear the information that is 
revealed in the course of the research could be released, bringing them 
harm. In genetic testing studies at the National Institutes of Health, 
thirty-two percent of eligible people who were offered a test for 
breast cancer risk declined to take it, citing concerns about loss of 
privacy and the potential for discrimination in health insurance.
  The bill we are introducing today, the Medical Information Privacy 
and Security Act, would be the first comprehensive federal health 
privacy law.
  Our bill is broad in scope: It applies to medical records in whatever 
form--paper or electronic. It applies to each release of medical 
information, including re-releases. It comprehensively covers entities 
other than just health care providers and payers, such as life 
insurance companies, employers and marketers and others who may have 
access to sensitive personal health data.
  It gives individuals the right to inspect, copy and supplement their 
protected health information.
  It allows individuals to require the segregation of portions of their 
medical records, such as mental health records, from broad viewing by 
individuals who are not directly involved in their care.
  It gives individuals a civil right of action against anyone who 
misuses their personally identifiable health information. It 
establishes criminal and civil penalties that can be invoked if 
individually identifiable health information is knowingly or 
negligently misused.
  It creates a set of rules and norms to govern the disclosure of 
personal

[[Page S2507]]

health information and narrows the sharing of personal details within 
the health care system to the minimum necessary to provide care, allow 
for payment and to facilitate effective oversight. Special allowances 
are made for situations such as emergency medical care and public 
health requirements.
  We have been very careful to balance the right to privacy with the 
needs of providers and health care plans, who can use medical 
information to improve the care of patients. MIPSA does not force 
patients to sign a blanket authorization allowing their information to 
go to anyone for any purpose in order to receive care. Unfortunately, 
individuals now have no choice but to sign away their rights if they 
want any health care treatment at all.
  MIPSA changes the authorization procedure by requiring that 
providers, health plans and hospitals clearly lay out to patients how 
their protected health information will be used, who will have access 
to their protected health information, and for what purpose. If anyone 
wants to use or disclose personally identifiable health information for 
a purpose that is not directly related to their treatment or billing, 
the patient has that right to say no without losing the ability to 
receive needed health care.
  It also takes special care to make sure that important medical 
research continues. MIPSA extends the protective practices currently 
followed by the National Institutes of Health (NIH) to all health 
research efforts--whether publicly or privately funded.
  It establishes a clear and enforceable right of privacy for all 
personally identifiable medical information including information 
regarding the results of genetic tests.
  We have tried to accommodate legitimate oversight concerns so that we 
do not create unnecessary impediments to health care fraud 
investigations. Effective health care oversight is essential if our 
health care system is to function and fulfill its intended goals. 
Otherwise, we risk establishing a publicly sanctioned playground for 
the unscrupulous. Health care is too important a public investment to 
be the subject of undetected fraud or abuse.
  It prohibits law enforcement agents from searching through medical 
records without a warrant. It does not limit law enforcement agents in 
gaining information while in hot pursuit of a suspect.
  We also require anyone who maintains your medical information to have 
strong safeguards in place. And MIPSA offers strong enforcement 
provisions and remedies for the misuse of medical information.
  It sets up a national office of health information privacy to aid 
consumers in learning about their rights and about how they can seek 
recourse for violations of their rights.
  Most importantly, our bill does not preempt any federal or state law 
or regulation that offers stronger privacy safeguards. We propose a 
floor rather than a ceiling, achieving two goals:
  First, a strong federal privacy law will eliminate much of the 
current patchwork of state laws governing the exchange of medical 
information, and will replace the patchwork with strong, clear 
standards that will apply to everyone.
  Second, MIPSA makes room for the many possible future threats to 
medical privacy that we may not even anticipate today. As medical and 
information technology moves forward into the next century we must 
maintain the public's right to seek stronger medical privacy laws 
closer to home.
  The elements of MIPSA are essential to any strong medical privacy 
effort.
  I am encouraged that a variety of public policy and health 
professional organizations, across the political spectrum, are 
signaling their intentions to step forward to join forces with 
consumers during this debate.
  We have 164 days to implement a strong federal medical privacy law. 
With the clock ticking toward the August deadline, let us act sooner 
rather than later.
  Mr. KENNEDY. Mr. President, we are here today to propose legislation 
to protect the privacy of personal medical information in our rapidly 
changing health care system. Today, video rental records have greater 
protection than sensitive medical information. Last month, we learned 
that the University of Michigan Medical Center posted information from 
thousands of patient records on the Internet, without any password 
protection or other safeguards. In many other cases, individual 
patients have been harmed by improper release of their private medical 
records.
  The legislation that Senator Daschle, Senator Leahy, Congressman 
Markey, and I are introducing today--the Medical Information Privacy 
and Security Act--puts patients first, while allowing for legitimate 
uses of medical information to improve health care.
  Congress recognized the need to act to protect the privacy of medical 
information when we passed the Kassebaum-Kennedy Act in 1996. That 
legislation contained a provision requiring Congress to pass 
legislation on the issue by August of this year. If the deadline is not 
met, the Administration has the power to act by regulation.
  The measure we are introducing ensures strong protections nationwide. 
It also allows individual states to take additional action. Stronger 
state laws are not pre-empted.
  The goal of these protections is to safeguard the confidential 
relationship between patients and physicians. Patients concerned about 
their privacy are less likely to disclose important information to 
their physicians. A recent survey by the California HealthCare 
Foundation found that one in six adults has taken steps to protect 
their personal medical information, such as providing inaccurate 
information in their medical history, or asking physicians not to 
include certain information in their medical records.
  Our legislation recognizes the fundamental right of patients to limit 
disclosure of personally-identifiable medical information. We have 
balanced that right with the needs of providers and health care plans 
to use medical information to improve patient care. Our proposal does 
not force patients to sign a blanket authorization in order to receive 
care. Instead, it contains a flexible framework that can be modified to 
fit different situations.
  Medical research is essential for progress against disease. But it is 
also essential for patients to have confidence that research is 
beneficial, not an invasion of privacy. In genetic testing studies at 
the National Institutes of Health, 32 percent of eligible people who 
were offered a test for breast cancer declined to take it, because of 
concerns about loss of privacy and the potential for discrimination in 
health insurance.
  Currently, most federal health research is governed by the ``Common 
Rule'', which includes evaluations by Institutional Review Boards in 
order to protect patients involved in the research. Our proposed 
legislation strengthens the privacy provisions in the ``Common Rule,'' 
and extends those protections to all health research.
  These issues are important, and I am optimistic that Congress will 
act in time to meet the August deadline. We have a responsibility to 
enact strong protections for privacy in all aspects of health care, and 
now is the time to act.
                                 ______