------------------------------------------------------------------------
****** ******** *************
******** ********* *************
** ** ** *** POLICY POST
** ** ** ***
** ** ** *** July 6, 1995
** ** ** *** Number 21
******** ********* ***
****** ******** ***
CENTER FOR DEMOCRACY AND TECHNOLOGY
------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
------------------------------------------------------------------------
CDT POLICY POST Number 21 July 6, 1995
CONTENTS: (1) SENATE HEALTH BILL WILL EXPOSE PRIVATE HEALTH RECORDS
(2) ANALYSIS OF 'HEALTH INFORMATION MODERNIZATION AND
SECURITY ACT (S. 872)
(3) WHAT YOU CAN DO
(4) ABOUT CDT/CONTACTING US
This document may be re-distributed freely provided it remains in its
entirety.
-------------------------------------------------------------------------
1) BOND HEALTH BILL (S 872) WILL EXPOSE PRIVATE HEALTH RECORDS TO
UNAUTHORIZED ACCESS
The "Health Information Modernization and Security Act" (S. 872),
introduced in May by Senator Bond (R-MO), poses a serious threat to
individual privacy by encouraging the development of health information
systems that will expose sensitive personal information to unauthorized
use and access. The Bond bill does not adequately address the threats to
individual privacy presented by the use of such systems.
CDT urges Congress to pass legislation such as the Fair Health
Information Practices Act (H.R. 435) introduced in the House by Gary
Condit (D-CA). We urge Senator Bond to amend his proposal to incorporate
the comprehensive privacy protections set out in the Condit bill.
Currently there is no comprehensive federal law that protects the
confidentiality of personal information that individuals divulge during
encounters with the health care industry. Yet most individuals consider
information on their health to be the most sensitive information about
themselves and to be the information most in need of privacy protection.
The lack of strong uniform privacy protection for personal health
information has left individuals vulnerable to privacy violations in a
paper-based world.
However, the threats to privacy posed by the computerization of personal
health information without appropriate privacy policies and
technological mechanisms to control the collection, use, access and
disclosure, will make such information more vulnerable to abuse than
ever before.
The traditional barriers of location and time disappear in the age of
computerization. With birth to death dossiers on each American on line
the potential for multiple simultaneous access from various locations
exists. The locked file cabinet that traditionally protected medical
information from prying eyes must be reinvented for the age of
automation. Legislation to protect the privacy of health information is
urgently needed.
As health care reform came to a halt at the end of the 103rd Congress, a
piece of health care reform legislation that received support from
Democrats, Republicans, health providers, health insurers, and privacy
advocates was the Fair Health Information Practices Act (introduced by
Senator Pat Leahy (D-VT) and Representative Condit. The bill was coupled
with an earlier version of Bond's Health Information Modernization Bill.
In fact, the privacy protections for health information found in these
proposals were fleshed out versions of language contained in every major
piece of health care reform legislation in Congress. Protecting the
privacy and confidentiality of health information is one of the issues
on which broad consensus was reached during the health care debate last
year.
Without a detailed privacy section, the Health Information Modernization
and Security Act harkens back to provisions in President Clinton's
Health Security Act that received widespread ridicule. Like the
Administration's Health Security Act, Senator Bond's proposal fails to
fully address the confidentiality of personal health information.
The Health Information Modernization and Security Act fails to
incorporate privacy and security standards into the legislation. It
directs the Secretary of Health and Human Services to establish
standards for the implementation of privacy and security within eighteen
months of enactment.
The lack of privacy, confidentiality and security provisions within the
Act is disturbing, since a goal of the bill is "encouraging the
development of a health information network through the establishment of
standards and requirements for the electronic transmission of certain
health information." The Act would greatly increase the ease with which
information is accessed, compiled, exchanged and manipulated. The
failings of this bifurcated approach to policy and technology were
readily apparent to the Administration, Congress, privacy advocates and
the private sector in 1994. If Congress advocates a move to automated
record keeping, it must simultaneously protect the sensitive information
on individuals that will be stored and transmitted by these systems.
Before the government accelerates or mandates computerization in the
health care field, it is crucial comprehensive privacy protections for
health information be established.
During last Congress there was consensus that health information systems
could not be designed and constructed without enforceable privacy rules
in place. It is neither reasonable nor rational to design a system
knowing that the sensitive information each American would be asked to
entrust would be largely unprotected from misuse and abuse, and that the
failure to address privacy up front would likely lead to a complete
system redesign or overhaul years later at an increased cost.
We urge Senator Bond and Congress to ensure that personal health
information is protected by strong enforceable privacy protections.
FOR MORE INFORMATION CONTACT:
Janlori Goldman, Deputy Director
Deirdre Mulligan, Staff Counsel
Center for Democracy and Technology +1.202.637.9800
-----------------------------------------------------------------------
2) ANALYSIS OF BOND S. 872
General Provisions: Titles I & II
The objective of the proposal is to encourage the development of a
health information network through the establishment of standards and
requirements for the electronic transmission of certain health
information. (Sec. 101) The Secretary of HHS is given responsibility for
adopting standards for data elements and transactions, but is to be
guided by current practice and by standards developed or modified by a
standards setting organization (this is likely to be the American
National Standard Institute - ANSI). (Sec. 1172) Sec. 1174 requires that
the Secretary adopt standards relating to the information transactions,
data elements and security and privacy within 18 months of enactment.
The Secretary is to adopt uniform standards to increase the electronic
availability of "financial and administrative transactions: claims or
equivalent encounter information, claims attachments, enrollment and
disenrollment, eligibility, payment and remittance advice, premium
payments, first report of injury, claims status, referral certification
and authorization," and "other transactions determined appropriate by
the Secretary consistent with the goals of improving the operation of
the health care systems and reducing administrative costs." (Sec.
1173(a)(1)).
In addition, the Secretary is to adopt a unique health identifier for
each individual. (Sec. 1174(b)(1)). Sec. 1177 sets penalties for use of
the unique health identifier that are not authorized by the Secretary.
The Secretary is to promulgate regulations specifying procedures for the
electronic transmission and authentication of signatures that will meet
current federal and state written signature requirements, "pen & quill"
laws. (Sec. 1173(d)1)
Privacy and Security Standards:
Section 1172(b)(1) requires each person who "maintains or transmits
health information or data elements that are subject to this Act" to
maintain reasonable and appropriate administrative, technical and
physical safeguards to ensure integrity and confidentiality and to
protect against reasonably anticipated threats or hazards and
unauthorized uses and disclosures.
Section 1174(b) gives the Secretary one and one-half years post
enactment to establish the standards for implementing the privacy
standards.
Penalties for Wrongful Disclosure of Individually Identifiable Health
Information
Under Section 1177, individuals who violate the privacy standards, which
govern obtaining or disclosing individually identifiable health
information, established by the Secretary, may be fined up to $50,000
and imprisoned up to 1 year, or both. If the offense is committed under
false pretenses the fine can be up to $100,000 and the sentence up to 5
years. If the offense is committed with the intent to sell, transfer,
use for commercial advantage or personal gain, or use to maliciously
harm the individual, the fine may be up to $250,000 and the sentence up
to 10 years.
Preemption
The Act would preempt contrary provisions of State laws, including
"requirements or standards that are more stringent than the requirements
or standards under the Act, except: 1) where the requirement is more
stringent with respect to electronic transmissions of financial or
administrative transactions from providers to plans and incorporates
standards adopted under the bill; 2) more stringent with respect to the
privacy of individually identifiable health information; of 3) is an
already enacted provisions governing the coordination of benefits; or 4)
in the Secretary's judgment, is necessary to curtail fraud and abuse.
(Sec. 1178) The Act does not invalidate or curtail public health
reporting laws. (Sec. 1178(b)).
Health Information Advisory Committee
Section 1179 establishes a Health Information Advisory Committee (15
members) to advise and assist the Secretary. The Committee is directed
to study the issues of uniform standards and electronic exchange and
report to the Secretary within four years of enactment. The Committee is
to report annually on compliance with the act. The report will address
compliance with privacy and security standards among other issues.
Standards for Patient Medical Record Information
Under Section 1180, within four to six years, the Secretary shall
recommend a plan for developing and implementing uniform data standards
for patient medical record information and the electronic exchange of
such information.
Grants for Demonstration Projects
The Secretary is given the right to make grants for demonstration
projects aimed at promoting the development and use of electronically
integrated, community-based clinical information systems and
computerized patient medical records.
-----------------------------------------------------------------------
3) WHAT YOU CAN DO
There is currently a companion bill in the House of Representatives,
H.R. 1766, the Health Information Modernization and Security Act,
introduced by Representative Thomas Sawyer (D-OH) and Representative
David Hobson (R-OH). This bill is very similar to Senator Bond's bill.
All concerns held by the Center for Democracy and Technology for Senator
Bond's bill are also held for H.R. 1766.
We urge you to contact Senator Bond (202) 224-5721 to voice your concern
over S. 872, Health Information Modernization and Security Act, and
Representatives Hobson (202) 225-4324 and Sawyer (202) 225-5231 over the
House bill H.R. 1766, Health Information Modernization and Security Act.
-----------------------------------------------------------------------
(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization. The Center's mission is to develop and advocate public
policies that advance constitutional civil liberties and democratic
values in new computer and communications technologies.
Contacting us:
General information on CDT can be obtained by sending mail to:
info@cdt.org
World-Wide-Web:
http://www.cdt.org/
ftp:
ftp://ftp.cdt.org/pub/cdt/
snail mail:
Center For Democracy and Technology
1001 G Street, NW Suite 700 East
Washington, DC 20001
voice: +1.202.637.9800
fax: +1.202.637.0968
###
Return to the Publications Index Page
Return to the CDT Home Page