The long summer recess did little to reinvigorate congressional interest in protecting the confidentiality of medical records.
Lawmakers, who failed to meet their self-imposed Aug. 21 deadline to act on the issue, appear to be caught up wrangling over other matters, such as tax cuts, Medicare and positioning themselves for elections in 2000, observers say.
"I cannot predict if Congress will get this (medical records privacy bill) out of committee, and I don't think anybody really knows," says Don Asmonga, government relations manager in Washington for the Chicago-based American Health Information Management Association. "It's not the most glitzy political issue."
As part of the 1996 Health Insurance Portability and Accountability Act, Congress set a deadline to pass legislation protecting the privacy of electronic medical records. HIPAA stipulated that if Congress missed the August deadline, HHS would step in and develop regulations on its own. And according to one industry source, HHS has nearly completed those regulations and will likely issue them this month.
The lack of movement on Capitol Hill is not due to a lack of interest. A bipartisan proposal to protect records has been introduced in the Senate by Jim Jeffords (R-Vt.) and Christopher Dodd (D-Conn.). Sens. Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) also have introduced a bill, as has Sen. Robert Bennett (R-Utah).
The five bills in the House have single sponsors: Reps. Jim Greenwood (R-Pa.), Chris Shays (R-Conn.), John Murtha (D-Pa.), Gary Condit (D-Calif.) and Edward Markey (D-Mass).
What's striking about the various bills, particularly in light of the need for a timely compromise, is the many provisions they have in common. Most call for a guarantee of patient access to records, the creation of safeguards to protect the privacy of records--including the requirement that healthcare institutions ensure staff members are taught to maintain the privacy of records--and the imposition of fines for those who violate privacy.
In fact, bipartisan support would be easy were it not for two issues that continue to delay the process, says Joe Karpinski, spokesman for the Senate Health, Education, Labor and Pensions Committee.
The first centers on the amount of compensation a patient would be entitled to in the event his or her privacy is violated. Although Republican-sponsored bills allow for the right of patients to sue, they also introduce caps that limit the amount of awards to patients. Some Democrats object to the concept of caps; others would like to see the caps raised. Some Democrats also want the legislation to include a provision for punitive damages.
The second issue dividing the parties centers on how much control minors should have over their own medical records.
"The lack of standards is just unbelievably burdensome," says James Durham, chairman and CEO of Richmond, Calif.-based QuadraMed Corp. "There's so much movement (of records) back and forth with patients moving and changing health plans" that keeping up with the many different state laws and guidelines is nearly impossible, he says. QuadraMed is a medical records management company.
Asmonga, whose organization represents and provides national certification for 40,000 medical-record and health-information management professionals, agrees.
"Healthcare has become so multistate that if you don't have (a federal) pre-emption, you'll have many different disclosure laws and security requirements," he says. "You need a clear standard."
The clear standard that the AHIMA seeks is:
- Pre-empt state confidentiality laws with a single, stringent national standard;
- Allow health information to be used for lawful purposes only and impose civil and criminal penalties for violations;
- Give patients access to their own records;
- Disclose the confidentiality policies of healthcare organizations;
- Require healthcare organizations to have substantive information-security policies in place, such as appropriate training, supervision and sanctioning of employees, limitations on access to individual identifiers and procedures for handling requests for protected information by persons other than the patient.
As it stands, the Bennett bill is neutral in regard to the rights of minors; it allows state laws to determine whether minors have control of their medical records. The Kennedy bill, however, would allow minors in states that give juveniles access to their medical records the right to control them. Kennedy's proposal has caught the attention of pro-life forces because it would trump many state laws that prevent minors from having abortions without the consent of their parents.
"It's important to bring this bill to the floor with bipartisan support, as it really has no broad-base support of its own," Karpinski says. "Privacy is not showing up in any polls and is not the kind of thing that people are writing their congressmen about. If we bring (the bill) to the floor with a partisan tilt, we will never get anywhere.
"Congress has two options," he says. "One is to throw in the towel and let HHS do its job; the other would be to delay the HHS timetable" and mold a bill that has bipartisan support. Karpinski predicts that if Congress can show it expects to produce legislation within a reasonable amount of time, then HHS will not move forward with its own regulations.
Even President Clinton is pushing Congress to make a move. He said in September: "If Congress does not soon pass legislation to protect patient records, I will honor the pledge I made to the American people in the State of the Union (Address) to do so through executive action."
As it stands, HHS is set to release its proposed regulations in mid-October. A public comment period would follow, and then final regulations would be issued.
The cost of telling secretsPenalty provisions in proposed Senate privacy legislation
Civil penalty: $500 for each violation and not more than $5,000 in the aggregate for violations of Title I; $10,000 for each violation and not more than $50,000 in the aggregate for violations of Title II; $100,000 for violations that occur with such frequency that they constitute a business practice.
Criminal penalty: "Any person who knowingly and intentionally" obtains or discloses protected health information in violation of Title II of the Act faces penalties of a $50,000 fine and/or one year in prison; a $250,000 fine and/or five years in prison if committed under false pretenses; and a $500,000 fine and/or 10 years in prison if committed with intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.
Disbarment: Violations will be grounds for barring organizations from participating in any federally funded healthcare programs.
Civil penalty: Same as Jeffords'.
Criminal penalty: Same as Jeffords'.
Disbarment: Similar to Jeffords'.
Civil penalty: Similar to those of Jeffords and Leahy.
Criminal penalty: Similar to those of Jeffords and Leahy, though penalties are less: 1) a $50,000 fine and/or not more than one year in prison; 2) a $100,000 fine and/or not more than five years in prison; and 3) a $250,000 fine and/or not more than 10 years in prison.
Disbarment: Disbarment for crimes deleted.