Online Records a Tough Call

Privacy Fears Complicate Passage of a Health IT Bill

Posted October 22, 2008 at 1:57pm

Correction Appended

A national health information technology program is one of the top priorities of the 111th Congress. But little will happen before lawmakers reach a consensus on a number of key provisions.

Efforts to pass such legislation stalled this year. As it stands now, there are several important differences on privacy and enforcement standards between a Senate proposal and the two House bills.

Proponents, however, are optimistic that an agreement can be reached by early next year, given the broad support for a health IT system in both parties.

Rep. Nathan Deal (R-Ga.), ranking member of the Energy and Commerce Subcommittee on Health, said a compromise bill has a good chance of moving early next year. “We’ve come a long way” toward compromise, Deal said in an interview.

There are agreements on the general concepts of what health IT legislation should include, he said, but some details still need to be worked out.

Others aren’t so sanguine.

One health IT industry lobbyist said lawmakers are “not very close at all” on these details.

Still, there is no reason an accord could not be reached, a House Democratic aide said, suggesting that lawmakers will have time next year to work out their differences.

The Senate bill, the Wired for Health Care Quality Act (S. 1693), does not go far enough in protecting privacy, said an aide to Sen. Olympia Snowe (R-Maine). House Democratic aides agreed.

“It’s pretty hard to compare nothing with something,” a Democratic aide said when asked about how the Senate bill compares with the House measure.

In order for the public to trust the health IT system and fully participate, people must feel confident their medical data will remain private and is not leaked for marketing or other purposes, the Snowe aide said. “When things go wrong, the patients are the ones to suffer here.”

The aide added that Senators need to tighten up the definition of “health care operations,” which are a series of business activities that require the sharing of patients’ medical data. This term is “pretty much catch-all” language that could offer a loophole for the improper use of this data for marketing purposes.

However, requiring disclosure for every single health care operations use “would bog down the system,” said Tina Grande of the industry-led Healthcare Leadership Council. Consent, she said, remains the “most problematic” issue in the House.

Another privacy issue involves the question of when patients need to be notified of breaches in the security of their health care records.

While House legislation, including the Protecting Records, Optimizing Treatment and Easing Communication Through Healthcare Technology Act (H.R. 6357), requires that patients be notified in the event of a privacy breach, the Senate language would only require the secretary of Health and Human Services to develop notification procedures within a year of the law’s enactment.

Such notification must occur for unintentional breaches as well as intentional ones, the Snowe aide said. There should be no exceptions for unintentional releases of this information because the impact on the patient remains the same. “We need legislation that is intent-blind,” the Snowe aide said. “It’s not really asking a lot.”

But Grande disagreed. There needs to be evidence of a threat of harm before notification is required, she argued. If not, patients will be inundated with paper and not notice real and legitimate threats to their privacy.

The group is also concerned about language requiring that an accounting of all disclosures be provided to patients. This would not only be unnecessary, but also difficult and expensive to institute. Such open-ended requirements could actually act as a disincentive to adopting health IT, Grande said.

However, aides to Sen. Patrick Leahy (D-Vt.), one of Snowe’s allies in the push for more privacy protections, argue that the Senate language is sufficient.

The health IT industry lobbyist agreed, saying that Congress must move on legislation instead of waiting for the perfect bill.

“A lot of folks are making the perfect the enemy of the good,” the lobbyist said. The Senate bill is a “huge step forward for privacy,” and lawmakers would be better served getting what they can now and then moving in later legislation to shore up these protections.

Another contested issue involves enforcement of the law.

The federal government needs to be able to hold contractors liable for breaches of patient privacy, said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.

This is an “issue of public trust” to ensure that all involved parties handle this data properly.

Critics, however, say that such broad liability, along with providing for private rights of action and suits by state attorneys general, would hinder adoption of health IT. There are “continuing concerns” among many lawmakers with these proposals, Deal said.

An aide to Rep. Dave Camp (R-Mich.), ranking member of the Ways and Means Subcommittee on Health, agreed. A private right of action, which would allow an individual to sue, is a “major hang-up” that would lead many business groups to oppose the legislation.

This would be a deal breaker among businesses, insurers, employers and patient groups, the health IT industry lobbyist said.

Correction: Oct. 23, 2008

The article incorrectly states that Sen. Olympia Snowe (R-Maine) is a co-sponsor of the Wired for Health Care Quality Act. She is not.