Lawmakers jump on medical privacy bandwagon as elections loom

Lawmakers jump on medical privacy bandwagon as elections loom

Data access wields a double-edged sword

Advances in networking, healthcare information technology, and standardization have made medical data more accessible and transferable than ever before. The number of vendors offering electronic medical records is exploding (HNN 4/5/00, 5/3/00, 5/17/00, 5/31/00), and as the EMR moves closer to mainstream adoption, vendors and government representatives are making their cases to the federal government about how medical data should be handled and shared.

The pending HIPAA regulations, which will regulate electronic medical data within the healthcare community, have brought security and privacy issues to the forefront (HNN 5/3/00, 5/31/00). However, HIPAA implementation will also make digital data available at the click of a mouse to multiple, global locations at speeds approaching real-time via the Internet, and the HIPAA regulations are limited in scope. Industries outside of healthcare, such as banks and insurers, are not bound to follow HIPAA privacy mandates and yet may have access to the same information.

Healthcare privacy and security issues have become a hot button for both Democrats and Republicans in this election year. The Clinton administration began the process of codifying medical privacy policies with the signing of the Gramm-Leach-Bliley Act last November, which sets in place limited consumer protection for the use of healthcare data by financial institutions. This was followed by the signing of an executive order in February that prohibits the federal government from using genetic information in hiring or promoting decisions for its own employees. At least six other bills that have medical privacy regulations at their heart are pending before the House and the Senate.

The propriety of sharing medical data reared its head in legislation proposed by Rep. Jim Leach (R-IA), head of the House Banking Committee, on June 6. The proposed Medical Financial Privacy Protection Act is a response to the Gramm-Leach-Bliley regulations that allow banks, brokerage firms, and insurers to move into one another's markets. The American Bankers Association, Consumer Bankers Association, and the Financial Services Roundtable adopted voluntary privacy guidelines to get the bill enacted, including forbidding disclosure of medical data and using data for marketing or credit decisions without the person's consent.

Leach's proposed legislation is based on common sense. It calls for financial firms to obtain express written consent before disclosing "individually identifiable" health data to another company or affiliated company. In addition, financial firms are prohibited from using health data to determine credit eligibility without express consent. Customers must separately and specifically consent to firms' accessing mental health records, and they have the right to inspect, copy, and correct health data under the control of a financial firm.

This bill is not the first to address the issue. Leach's proposal is in direct competition with a similar, earlier bill (H.R. 4380) sponsored by Rep. John LaFalce (D-NY), the Consumer Financial Privacy Act. LaFalce claims that Leach's rules do not go far enough, while H.R. 4380 would further protect medical information from cross-industry sharing and require customer consent before sharing lists of buying patterns. The Consumer Financial Privacy Act would also give enforcement authority to the Federal Trade Commission, a concept that has come under fire recently from the online industry. Both proposals are intended to supplement the HIPAA regulations when those rules become final.

In related developments on Capitol Hill, Congress has turned its attention to the potential effects of cutting-edge medical technology on the health of the U.S. economy. In an effort to ensure that industry's voice is not lost in this debate, MedicaLogic/Medscape chairman Mark Leavitt spoke at the High-Tech Summit hosted by Congress' Joint Economic Committee on June 6-7 as a witness for the minority. According to Leavitt, consumers and physicians alike will embrace the changes wrought by the adoption of wireless communication, online medical records, and other point-of-care services. He also argued that advances in this technology will ensure the privacy and quality of medical data on the Internet because access to information can be both restricted and tracked.

"Our citizens gained greater personal control of their finances long ago, through credit cards, ATMs, online banking, and trading," Leavitt told the committee. "Now we need to apply technology to gain the same control over our health. We believe that doing the right thing with technology can actually enhance privacy."

In addition to Leavitt's testimony before the JEC, the Hillsboro, OR-based electronic medical records firm cites its endorsement of the eHealth ethics code and the Health Internet ethics code, both finalized in May, as evidence of the company's support for fair dealing with medical data. The third in a series of summits held by JEC, the High-Tech Summit was convened to discuss how public policy and education, trade, and deregulation will affect the U.S. economy.

Data privacy is not solely a U.S. issue, however. The Australian government has come under fire for proposed legislation that allows organizations to collect healthcare information without first obtaining consent, and European consumers are voicing concerns about the safe harbor agreement, a data privacy pact between the European Union and the U.S. that consumer organizations say falls far short of current laws. The European Parliament will probably approve the safe harbor accord this summer.