MEDICAL PRIVACY: HHS Introduces New Standards
The Department of Health and Human Services yesterday proposed new medical privacy standards designed to protect the electronic flow of medical data between health care providers, insurers and clearinghouses from improper access or alteration. The proposed regulation and accompanying technical guidance requires all parties who deal with electronic health information to establish responsible and appropriate safeguards, develop a security plan, provide training for employees, secure physical access to records and implement a digital signature regimen to verify the identity of the person accessing medical records The standards are required under the 1996 Health Insurance Portability and Accountability Act (HIPAA). The 1996 law also required HHS to recommend health information privacy proposals to Congress, which has until August 1999 to act on them. HHS issued those recommendations last September, and if Congress fails to meet the August 1999 deadline, HHS Secretary Donna Shalala will be empowered to unilaterally implement the program. Shalala said, "The proposals we are making today will help protect against one kind of threat -- the vulnerability of information in electronic formats. Now we need to finish the bigger job and create broader legal protections for the privacy of those records" (HHS release, 8/11).
No Privacy, No Medical ID
A Dallas Morning News editorial argues that until Congress passes Sen. Patrick Leahy's (D-VT) medical records privacy act, lawmakers should repeal the HIPAA provision that "creates a unique, lifetime medical identification number for every U.S. resident." Sen. Leahy's bill "allows patients to inspect and amend their medical records" and "creates civil and criminal penalties when personally identifiable medical information is intentionally or negligently misused." The Morning News editorial states that until the privacy standards bill -- which contains exceptions for emergency care and public health threats -- is in place, "Americans shouldn't be tagged with a health identifier. ... Once stronger privacy protections are in place, Congress can reconsider the identifiers" (8/12).
Internet Medical Records
According to an article in today's New York Times, "'A potential revolution' is brewing" in consumer interaction with health plans and doctors, as "a growing number of insurers and doctors are ... using [the Internet] to provide members and patients with personal medical information, from lab results to payment records." The Times reports that many large insurers, including Kaiser Permanente, Oxford Health Plans, Aetna Inc., United Healthcare Corp. and Harvard Pilgrim Health Care have expanded websites that are up and running or in the works to disseminate information to their members. For example, Kaiser Permanente "says it will provide laboratory results next year to patients over the Internet using a personal identification number." According to the Times, the trend "raises serious questions about the privacy of such highly personal information wafting about the digital world. ... The issue thus fits squarely into the broader debate about privacy and security on the Internet." American Medical Association Trustee Dr. Donald Palmisano said, "If vandals can break into a CIA website, it doesn't make the AMA feel real secure that some vandals won't break into a health plan" (Freudenheim, 8/12).