INFORMATION POLICY FOR THE U.S. HEALTH SECTOR:
ENGINEERING, POLITICAL ECONOMY, AND ETHICS

RECENT LEGISLATIVE RESPONSES

State activity

Until recently, health industry and practitioner groups have tended to favor information regulatory activity at the state level, where other elements of health practice are traditionally controlled. In 1985, hoping to spur uniformity in such actions, the National Conference of Commissioners on Uniform State Laws proposed a Uniform Health Care Information Act. But only a few states have chosen to adopt it. Similarly, only a small number of states have adopted the National Association of Insurance Commissioners’ Information and Privacy Protection Model Act. In any case, both models were constructed before the managed care revolution, and are a bit dated as responses to the complexities of today’s health care information traffic. Other model statutes are available from organizations such as the American Health Information Management Association (AHIMA) and the Workgroup for Electronic Data Interchange (WEDI). A few states, such as Vermont, have recently enacted comprehensive health information statutes based on the newer models.

Comprehensive or not, activity in the area of health information policy is increasing, fueled by the failures at the federal level. Compendia of state codes show legislative efforts affecting health information practices in over two-thirds of the states in just the last three years (Lexis-Nexis, 1997). This increasingly complex array of laws, ranging from a handful to several dozen depending on the jurisdiction, makes operation of health services in interstate commerce an increasingly difficult task.

Past Congressional attention Information privacy issues have been on the national agenda for almost 40 years. Proposals for national "data centers" in the mid-1960s, aimed at improving the efficiency of the government’s statistical activities, first raised concerns about the growing scope and scale of data-collection activities. Subsequent Congressional hearings and reports established that the majority of federal agencies’ databanks existed under unclear statutory authority, operated under idiosyncratic procedures, and were generally unknown to the persons whose data resided within them (Regan, 1995). Reflecting the growing concern, from the 89^th through the 92nd Congresses (1965-72) over 250 legislative bills were introduced relating to privacy (Bennett, 1992). Only two privacy laws were enacted, however: the Omnibus Crime Control and Safe Streets Act of 1968, limiting the use of wiretaps, and the Fair Credit Reporting Act of 1970, which regulated credit agencies. In the post-Watergate fervor of the 94^th Congress, the comprehensive 1974 Privacy Act was passed. But as a result of legislative compromise it reached only to the public sector, and did not provide new mechanisms for on-going oversight of information practices by independent authorities.

Bit by bit, sector by sector, the corpus of US privacy legislation was erected in the next 20 years, in such areas as educational records (1974), bank records (1978), cable television services (1984), electronic communications (1986), employee polygraphs (1988), video rentals (1988), and telemarketing (1991). Health privacy bills were not successful, however. Proposals like the 1980 Federal Privacy of Medical Records Act foundered as major elements of the health care establishment strongly opposed federal preemption, and government agencies divided over the appropriate scope of information limitations (Gellman, 1996). In the 1990s, legislative proposals aiming particularly at reduction of health administrative costs were introduced in the 102nd US Congress. President Clinton’s health care initiative, along with numerous competitor proposals, came in the 103rd. Most of these bills included a heavy reliance on information technology to facilitate the flow of administrative and clinical information, but also included elements relating to health privacy (Gostin, 1993; Alpert, 1993). While none passed, the information imperatives of managed care have sped the development of health information systems nonetheless -- unfortunately, in the absence of any coherent legal or regulatory framework at the national level to structure practices.

104^th Congress In the last Congressional session, three major health information privacy bills were introduced: H.R. 435 ("the Condit bill"), S.1360 ("the Bennett-Leahy bill"), and H.R. 3482 ("the McDermott bill"). Several bills focusing on genetic information issues were also introduced (see, e.g., H.R. 306 and H.R. 341). None passed, and hearings were held only on Bennett-Leahy. However, "administrative simplification" provisions of the Kassebaum-Kennedy Health Insurance Portability and Accountability Act (H.R. 3103, subtitle F; PL 104-191) have mandated studies of standardization, security and privacy issues for health care information by the National Committee on Vital and Health Statistics (NCVHS). Under the terms of the law, if no Congressional action on health privacy has taken place by August 1999 (three years from the date of the law’s enactment), standards promulgated by the Secretary of Health and Human Services based on NCVHS’s advice will be required to articulate "rights," "procedures … for the exercise of such rights," and describe uses and disclosures of health data that "should be authorized or required" (H.R. 3103, subtitle F, part C). The NCVHS’s first report is expected in late summer of 1997.

The Condit, Bennett-Leahy, and McDermott bills shared a common attention to elements of "fair information practices." All made provision for individuals to obtain access to their own health records, and to submit corrections or amendments. All set forth duties for holders of health data ("information trustees"), and rules for various categories of uses and disclosures: for treatment and payment, public health, health research, administration and oversight, law enforcement, etc. All specified civil and criminal penalties for violations. The critical differences were over three core issues: individual consent and control, category-based restrictions and processes, and federal/state preemption. McDermott’s bill took a "strong consent" position, requiring very specific, time-limited revocable authorizations for most downstream uses of data, even data that no longer identified the individual subject. Bennett-Leahy required consent, but using much more general instruments; and it allowed large classes of use and disclosure without specific subsequent consent. Condit’s bill eliminated consent requirements for some uses (treatment, payment), but allowed persons to "opt out" or express a need for special restrictions on an individual basis.

Consistent with their differing stances, McDermott’s bill generally articulated much more restrictive procedural requirements and limitations for various categories of data use than did the other two proposals. McDermott’s bill would not have preempted any state statute which "more completely" protected individual privacy, or which provided a "greater right of access" for the information subject. The Bennett-Leahy and Condit bills would have preempted state law in most circumstances.

105^th Congress and the future As of May 1, several health privacy bills have been introduced in the current session. H.R.52 is the updated version of the Condit bill, with minor changes from the previous session; updated offerings are also expected from Bennett and Leahy (separately), and McDermott. Other privacy bills with health implications are also in play. H.R.341 (Rep. Stearns) and H.R. 306 (Rep. Slaughter) propose protections for genetic information; H.R.1029 (Rep. Towns) addresses privacy in insurance claims; S.600 (Sen. Feinstein) focuses on use of the social security number. As noted elsewhere, a fragmented, incrementalist approach to privacy issues has characterized the US response over the last few decades. The result has been highly incomplete protections, which serve well neither the privacy interests of individuals nor social efficiency. The health care sector’s need for a comprehensive information policy approach is particularly acute. It remains to be seen whether a compromise is possible from among the many competing visions of an appropriate private/social balance.

Outline | Intro | Benefits | Risks | Protections | Engineering | Political-Econ |

Ethical | Conclusion | References | Documents | Other Links | Home Page