-----------------------------------------------------------------------------
_____ _____ _______
/ ____| __ \__ __| ____ ___ ____ __
| | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_
| | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/
| |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_
\_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/
The Center for Democracy and Technology /____/ Volume 2, Number 30
----------------------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 2, Number 30 August 16, 1996
CONTENTS: (1) New Electronic Health Information Provisions
Pose Privacy Risks
(2) How to Subscribe/Unsubscribe
(3) About CDT, contacting us
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of
** This document looks best when viewed in COURIER font **
-----------------------------------------------------------------------------
(1) NEW ELECTRONIC HEALTH INFORMATION PROVISIONS POSE PRIVACY RISKS
"The Medical Records Confidentiality Act" (S. 1360) remains stalled as
Congress continues its summer recess. The Senate Labor and Human Resources
Committee indefinitely delayed mark-up of the bill due to opposition from a
number of industry groups.
Although S. 1360 (also known as the Bennett-Leahy bill) remains in limbo,
Congress did take some action that impacts medical records privacy. The
recently-passed Kennedy-Kassebaum Health Insurance Portability and
Accountability Act of 1996 (HR 3103) contains a section known as
"Administrative Simplification." This section of the Act mandates the
development and adoption of standards for electronic exchanges of health
information. It also mandates that Congress or the Secretary of Health and
Human Services (HHS) develop privacy rules to govern such electronic
exchanges; however, these rules may not be in place before the electronic
system is implemented.
CDT and other privacy and consumer advocates urged Congress to include strong,
comprehensive privacy rules in any administrative simplification proposal
considered by Congress. While we fell short of that goal, there are a number
of provisions in the Kassebaum-Kennedy bill that impact on individual privacy,
data confidentiality and security. Most importantly, the law mandates that
Congress enact privacy rules to protect health information within the next 36
months; and, if Congress fails to act, the law requires the Secretary of HHS
to promulgate final regulations establishing privacy rules within the
following six months.
While the passage of administrative simplification language without strong
statutory privacy protections included at the outset is disappointing and
threatens privacy, the recently enacted provisions set a privacy agenda in two
areas. It provides an opportunity to reinvigorate efforts in Congress to act
upon pending health information privacy legislation, and to work with the
Department of Health and Human Services to develop privacy regulations.
CDT believes it is critical that supporters of the Bennett-Leahy bill and
similar legislative proposals seize this opportunity to move health privacy
legislation. It is imperative that privacy safeguards be in place prior to
the development or adoption of standards for electronic handling of health
information. CDT looks forward to working with other privacy and consumer
advocates to support national health privacy policy.
For more information and background about this and other related topics,
please visit CDT's Health Information Privacy Issues Page:
http://www.cdt.org/privacy/medical/
-----------------------------------------
SYNOPSIS OF ADMINISTRATIVE SIMPLIFICATION LANGUAGE
Administrative Simplification
The law directs the Secretary of Health and Human Services (HHS) to:
* adopt standards for the electronic exchange of a variety of health care
transactions;
* adopt standards for a unique health identifier for each individual,
employer health plan and health care provider;
* adopt security standards for health information; and
* adopt safeguards that require those who maintain or transmit health
information to adopt reasonable and appropriate administrative, technical,
and physical safeguards that will protect the integrity and
confidentiality, and protect against unauthorized uses and disclosures of
health information.
It requires covered entities to come into compliance with standards within 24
months of their adoption.
--------------------
Privacy Provisions
* Within 12 months of enactment, HHS must submit a report to Congress on the
privacy of individually identifiable health information. The report must
address the rights individuals should have with respect to such information,
the procedures that should be established for exercising these rights, and
the uses and disclosures of information that should be authorized or
required.
* Within 36 months of passage, Congress must enact legislation protecting
the privacy of health information in standards for electronic exchange.
* If Congress fails to enact privacy legislation within 36 months, HHS must
promulgate final regulations protecting the privacy of health information
in standards for electronic exchange within the following six months.
* The law maintains existing state confidentiality statutes that are stronger
than those enacted by Congress or promulgated by HHS.
* The law establishes criminal and civil penalties for those who knowingly
and in violation of the act:
- misuse unique health identifiers;
- obtain individually identifiable health information;
- disclose individually identifiable health information.
-----------------------------------------------------------------------
(2) SUBSCRIPTION INFORMATION
Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list. CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
nearly 10,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.
To subscribe to CDT's Policy Post list, send mail to
policy-posts-request@cdt.org
with a subject:
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
-----------------------------------------------------------------------
(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US
The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.
Contacting us:
General information: info@cdt.org
World Wide Web: URL:http://www.cdt.org/
FTP URL:ftp://ftp.cdt.org/pub/cdt/
Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW * Suite 1100 * Washington, DC 20006
(v) +1.202.637.9800 * (f) +1.202.637.0968
-----------------------------------------------------------------------
End Policy Post 2.30 8/16/96
-----------------------------------------------------------------------
Return to the CDT Publications Page
Return to CDT Health Information Privacy Page
Return to the CDT Privacy Issues Page
Return to the CDT Home Page