Last year, the 104th Congress tried, but failed, to pass a law protecting the confidentiality of medical records. It's not hard to understand this failure; the difficulties facing Congress are enormous.
These difficulties derive from two seemingly unrelated changes in the medical industry - changes in the way health care is financed and changes in the way medical records are catalogued and stored. These changes have created uncertainty about the future that makes legislation more difficult to draft. Ironically, the same changes that are holding Congress back are also pushing it forward, as the marriages of computers to medical records and big business to medical care have created incentives for abusing patient confidentiality. These abuses are fueling the clamor for a federal law.
Meanwhile, Congress is attempting to tame a snake pit of competing interests -- the privacy interests of patients, the business interests of medical providers and insurance companies and the pure-profit interests of drug marketers, information brokers, computer manufacturers and database administrators.
Even though Congress failed last year to pass a law safeguarding medical privacy, it took a small step in this direction with a provision of the Health Insurance Portability and Accountability Act of 1996, also called Kennedy-Kassebaum Bill. Though the law's focus was not medical records, it included a section requiring Congress to establish medical privacy rules within three years.
This little-publicized provision assures that Congress will continue to grapple with the issue of medical privacy. Both of the bills introduced in the 104th Congress - one by Sen. Bill Bennett, a Utah Republican, another by Rep. Jim McDermott, a Washington Democrat - are expected to be reint roduced this year.
Despite the difficulties of drafting legislation, the hallmarks of a good law are easy to recognize.
- Does the law recognize the importance of patient consent? One doesn't have to be a "privacy advocate" to understand that a patient's medical records should not be released unless the patient has signed an authorization. This is not a radical concept, but insurers and medical providers sometimes view it as an unnecessary complication.
- Does the law give patients a method for determining who is looking at their medical records, and why? It is not enough simply to provide patients legal remedies for violations of their privacy. Unless medical providers are required to tell patients when and why their records are released, patients often have no way to determine whether a privacy violation has occurred in the first place.
- Does the law grant patients the right to obtain copies of their own medical records? Presently, patient confidentiality is protected only by a patchwork of state laws, in some states all but nonexistent, in others based on the out-dated, paternalistic view that patients should be shielded from the information contained in their own medical records. Both laws considered by Congress last year would have provided patients with hassle-free procedures for obtaining copies of their own records.
- Does the law provide bright-line rules for doctors and hospitals? Health-care providers of every variety are beset with outside requests for medical records, usually for use in personal injury litigation. A good law would provide clear, unambiguous directions for either releasing or withholding medical information. Otherwise, medical providers will have to rely on lawyers to interpret ambiguities - a cost that is ultimately born by consumers.
- Does the law pre-empt state law rights and remedies? Sen. Bennett's proposed legislation would pre-empt - in other words, abolish - all existing state laws dealing with medical records. Admittedly, this is advantageous for companies in the business of administering nationwide databases of medical information, since a hodgepodge of differing state laws makes this more costly. But patients lose by pre-emption, as it prevents consumer-friendly states from imposing additional, more stringent protections for their citizens.
Although it is hard for some to believe that anything sinister will happen to their medical records, even if the records contain secrets like past drug use or sexually transmitted disease, the anecdotal evidence is to the contrary. A recent study by experts at Harvard and Stanford universities documented more than 200 instances of people being denied jobs, insurance, the right to adopt and educational opportunities based on information contained in their medical records.
Throw into the mix a number of high-visibility breaches of medical privacy, such as the intentional disclosure last year of a confidential roster of 4,000 Florida AIDS patients, and one begins to understand the importance of tighter controls.
Perhaps the 105th Congress can get the job done.