[Congressional Record Volume 145, Number 40 (Monday, March 15, 1999)]
[Senate]
[Page S2681]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




       HEALTH CARE PERSONAL INFORMATION NONDISCLOSURE ACT OF 1999

 Mr. JEFFORDS: Mr. President, I rise today to speak about the 
Health Care Personal Information Nondisclosure Act, or the Health Care 
PIN Act of 1999, which I introduced last Wednesday with my friend, 
Senator Dodd. This timely piece of bipartisan legislation sets the 
necessary national standards that will secure the privacy and 
confidentiality of every American's medical records.
  This legislation clarifies patients' rights to copy or amend their 
medical records. The legislation also encourages insurers and providers 
with large sets of records to implement their own safeguards and 
protections from misuse. It sets clear guidelines for the use and 
disclosure of medical information by health care providers, 
researchers, insurers, and employers. Most importantly, it requires 
that individually identifiable health care information not be released 
without the patient's informed consent.
  In the past few decades, the delivery and administration of medicine 
have evolved by leaps and bounds. Technological advances have 
contributed to a better and more efficient health care system. They 
create new opportunities for the prevention and treatment of disease. 
Electronic pharmaceutical records make it possible for pharmacists to 
identify potential drug interactions before they fill a prescription. 
Telemedicine will make it possible for patients at Copley Hospital in 
Morrisville, Vermont, a small village of 2,000 people, to benefit from 
the expertise of physicians fifty miles away at Fletcher-Allen, 
Burlington, Vermont's nationally known academic medical center.
  The improved access to this information does not come without a risk. 
We often don't know with any certainty, who has access to our private 
records. The establishment of large computer databases, some with 
millions of patient records, has not only allowed for new, life-saving 
medical research but has increased the potential for misuse of private 
medical information.
  Last month, for example, at the University of Michigan Medical 
Center, several thousand patient records were inadvertently posted on 
an Internet site. Private patient records containing names, addresses, 
employment status, and treatment for specific medical conditions 
lingered on the Web for two months. Fortunately, in this case, the 
lapse was discovered before anyone accessed the site, or any damage 
done.
  The Health Care PIN Act establishes clear guidelines for the use and 
disclosure of medical records by health care providers, researchers, 
insurers, and employers. With very few exceptions, individually 
identifiable health care information should be disclosed for health 
purposes only, which includes the provision and payment of care and 
plan operations. In order to protect patients from abuse and 
exploitation, this bill imposes civil and criminal penalties on 
individuals who use information improperly through unauthorized 
disclosure.
  Other nations have taken steps to protect patient privacy. In 1995, 
the European union enacted the Data Privacy directive. This Directive 
requires all 15 European Union member states establish consistent 
national privacy laws. This initiative raises the concern that the 
European Union could limit the flow of data between countries that do 
not provide for comparable protections. If we do not act promptly, this 
directive may act as a deterrent to the international exchange of 
health information and restrict the ability of American companies to 
compete overseas.
  Even more pressing is the Health Insurance Portability and 
Accountability Act of 1996, also known as the Kassebaum-Kennedy Act, 
which established several mandates relating to medical records privacy. 
One provision set August, 1999, as the deadline by which Congress must 
act to ensure the confidentiality of electronically transmitted data. 
If, for some reason, Congress fails to act by this date, HIPAA includes 
a default provision directing the Secretary of Health and Human 
Services to promulgate regulations. We are introducing this bill now 
and we must act as soon as possible in order to meet the HIPAA 
deadline.
  Our bill recognizes that some states, like my home state of Vermont, 
have already taken the lead in the area of privacy protections. Last 
year's bill provided a uniform federal standard for protected health 
information, with the exceptions of state mental health and public 
health laws. In addition to these protections, this bill will also 
allow stronger medical records privacy laws enacted prior to the 
effective date of the act to remain in place.
  Senator Dodd and I look forward to working with members of the 
Committee on Health, Education, Labor, and Pensions, as well as others 
who have contributed time and effort to this issue, as we move forward 
to enact this necessary and bipartisan Health Care PIN Act of 
1999.

                          ____________________