Congress drops the ball.
THE FEDERAL AND STATE LAWS AND REGULATIONS GOVERNING the collection, use, and transmission of the minimum data set and other health information are a patchwork of protections that are insufficient in this age of electronic media. HCFA's creation of electronic transmission requirements for the MDS in December 1997 did not acknowledge the groundswell within HHS and Congress for new national privacy standards and legislation to protect health information. Instead, HCFA's policy documents focus on the general authorities and justifications for the collection of MDS information, including the agency's "general rulemaking authority to the extent that the information will be used for general monitoring of care and beneficiary needs."
However, public accountability needs must be balanced against the significant threats to personal privacy inherent in an electronic health information infrastructure. Acting on these concerns, Congress, in 1996, passed the Health Insurance Portability and Accountability Act, which contains stiff penalties for wrongful disclosure of identifiable health information. HIPAA also required that if Congress failed to pass health privacy legislation by August 21, 1999, then HHS must issue regulations by February 21, 2000. Having missed its August deadline, HHS is drafting contingency regulations, but most observers believe Congress will pass legislation soon.
Because the MDS is federal data, it is subject to the confidentiality requirements in the Federal Privacy Act of 1974, which prohibits federal agencies from disclosing individually identifiable information contained in a "system of records" to any person or agency without the individual's prior written consent, unless the disclosure was foreseeable when the information was collected.
Unfortunately, the act falls short in several respects. First, the burden is on the individual to protect his or her own interests: The only way to know if your rights were violated is to inquire and then follow up to determine if the agency was in noncompliance. Second, remedies are available only after misuse has occurred. And third, the act is not sensitive to the imbalance of power between individuals and federal agencies.
HCFA views the act as establishing a floor of minimal federal protections. But a study conducted by the General Accounting Office in July faulted the agency for relying on the disclosure provisions contained in it. What's more, HCFA does not inform its beneficiaries in nursing facilities of their rights under the act as the law requires. Instead, it delegates this function to the facility manager by distributing a notice to be given out at admission. And even with these notices, the vast majority of facilities, residents, legal representatives, and families remain uninformed as to their rights. For example, residents are unlikely to be aware that they can ask to see their individual data, request a correction, or seek an accounting of all releases of personal information.
Despite HCFA's assertion that, "[t]here is no reason to believe that collection and analysis of MDS information will not ... be used in the interests of the general public," most experts agree that the biggest threat to the privacy of health information stems from the widespread dissemination of information that HCFA is planning with electronic transmission of the MDS. The potential chain of access includes the facility that collects and enters the data, the software vendors that produce systems and provide system support, multiple state agencies, multiple departments within HFCA and the enforcement agencies with whom it works, and whomever HCFA decides to grant access to in response to requests brought under the privacy act or the Freedom of Information Act.
Although MDS transmission involves the use of commercial software vendors and the telephone transmission of non-encrypted data, there are not even minimal government assurances for protecting this sensitive information, such as provisions mandating limited access and vigorous maintenance of audit trails. Such failures, combined with the expanding uses of health information and the inability to assure privacy in an electronic environment, resulted in HIPAA's requirements for national privacy standards.
Several bills are pending in both houses of Congress. Common features include authorized uses of identifiable medical data, the need to obtain informed consent before disclosures, the right of patients to review and supplement their medical records, civil and criminal penalties for wrongful disclosure, and mandatory safeguards for the storage, transmission, and secondary disclosure of identifiable health information.
Much work is needed to reach consensus on some essential issues, such as whether federal privacy law will preempt state laws with stronger privacy protections, whether individuals will have a private right of action to sue for privacy violations, whether identifiable health information can be given to law enforcement officials without a subpoena, and who should have access to juvenile medical records.
In preparing for the forthcoming law or regulations, you might want to consider these issues.
A contributing writer to Contemporary Long Term Care, Marie Infante is an attorney with the Washington, D.C.-based law firm of Powers, Pyles, Sutter & Verville.
|Printer friendly Cite/link Email Feedback|
|Publication:||Contemporary Long Term Care|
|Article Type:||Brief Article|
|Date:||Oct 1, 1999|
|Previous Article:||Microsoft bullish on seniors.|
|Next Article:||Errors and omissions.|