State and federal regulators' ability to protect the privacy of medical records was questioned last week in two new reports.
The reports come as Congress tries to meet a self-imposed Aug. 21 deadline to pass medical privacy legislation. After that, HHS can draft federal privacy standards, according to a 1996 health insurance reform law.
The first report, from a health privacy project at Georgetown University, Washington, said state laws governing medical records privacy are weak and incomplete in areas the federal government is seeking to regulate. For example, there should be limits on the disclosure of health information and punishments or penalties for violations. The report credits some states for having strong laws protecting the confidentiality of patients with AIDS, genetic disorders and other conditions.
The second report, from the General Accounting Office, said HCFA did not review its carriers' and intermediaries' procedures for protecting the privacy of beneficiaries' medical records in 1997 and 1998, possibly opening the door to unauthorized disclosure of confidential health information.
However, HCFA has logged only seven complaints in the past four years about unauthorized disclosure of private health information, the GAO told the House Ways and Means Committee's health subcommittee. The GAO said review of contractors' privacy safeguards should be a high priority in the coming year.