Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


Medical Information Privacy and Security Act (MIPSA)

November 4, 1997

Mr. President, the time has come for Congress to enact a strong and effective federal law to protect the privacy of medical records.

To address this need, today, Senator Kennedy and I are introducing the Medical Information Privacy and Security Act (MIPSA).

Americans strongly believe that their personal, private medical records should be kept private. The time-honored ethics of the medical profession also reflect this principle. The physicians' oath of Hippocrates requires that medical information be kept `as sacred as secrets.'

A guiding principle in drafting this legislation is that the movement to more a integrated system of health care in our country will only continue to be supported by the American people if they are assured that the personal privacy of their health care information is protected. In fact, without the confidence that one's personal privacy will be protected, many will be discouraged from seeking medical help.

I am encouraged that a variety of public policy and health professional organizations, across the political spectrum, are signaling their intentions to step forward to join forces with consumers during this debate.

For the American public, and for the Congress, this debate boils down to a fundamental question: Who controls our medical records, and how freely can others use them?

Many of us in this chamber quickly criticized the Social Security Administration and the IRS regarding the security of computer records. We blasted the IRS for allowing employees to randomly scan through our personal financial records.

If we are concerned about IRS employees looking at our tax records, should we not be concerned about the millions of employers, insurers, pharmaceutical companies, government agencies and others who have nearly unfettered access to the personal medical records of more than 250 million Americans?

All of us are health care consumers--every individual and every American family. As Congress works toward answering this question, the privacy interests of the American public will be at odds with powerful economic interests and with the penchant for large organizations and complex systems to control this kind of personal information. Well-funded and sharply focused special interests often win in a match-up like this.

Senator Bob Dole, the former majority leader of the Senate, put his finger on this problem when he observed that a `compromise of privacy' that sends information about health and treatment to a national data bank without a person's approval would be something that none of us would accept.

Unfortunately, this nightmare that Senator Dole envisioned is being brought to life by provisions insisted upon by the House in last year's health insurance portability bill that require a system of health care information exchanges by computers and through computer clearinghouses and data networks.

We are now confronted with the fact that the computerization of health care record provisions are going into effect in the next few months but we are still contemplating the delay of promulgating privacy protection until August of 1999, unless Congress acts sooner.

The Information Age opens the door to endless new possibilities and has empowered individuals with marvelous new tools and freedoms. But technology is our servant; we should not let it become our master. Unless we are vigilant, the Information Age can overwhelm our privacy rights before we even know it has happened.

I do not want advancing technology to lead to a loss of personal privacy and do not want the fear that confidentiality is being compromised to deter people from seeking medical treatment or stifle technological or scientific development.

The outlines of the challenge we face in stemming the erosion of medical privacy are already clear. Insurance companies have set up their Medical Information Bureau (MIB) which stores personal medical information on millions of Americans. M.I.B. may have personal information on all of us in Congress and our families.

Managed care companies, HMOs, drug companies, and hospitals are spending up to $15 billion a year on information technology to acquire and exchange vast amounts of medical information about Americans.

While this in and of itself may not be the issue--the question is how and why is it being collected and for what specific use is this information being used and do individuals know about this? Patients should be advised about the existence of data bases in which medical information concerning the patients is stored.

This information can be very useful for quality assurance, and to provide more cost effective health care. But I am not certain that the American public would agree with a recent Fortune magazine article which lauded a health insurer that poked through the individual medical records of clients to figure out who may be depressed and could benefit from the use of the anti-depressant Prozac. Are we now encouraging replacing sound clinical judgment of doctors with health insurance clerks who look at records to determine whether you are not really suffering from a physical illness, but a mental illness?

Contrary to some, I believe that computerization can assure more privacy to individuals than the current system if my legislation is enacted. But if we do not act the increased potential for embarrassment and harassment is tremendous.

There are many more stories which highlight the problems that are out there due with the lack of privacy and security of individuals medical records, unfortunately so many other breaches of privacy are more subtle.

Singer Tammy Wynette entered the hospital in 1995 for a bile duct problem. She used a pseudonym, but a hospital staff member broke into her computerized medical records and sold the information to the press, supposedly for thousands of dollars. The sensational National Enquirer then erroneously reported that Wynette was near death and in need of a liver transplant.

A current Member of Congress had her medical records faxed to the New York Post on the eve of her primary. In 1994, she offered eloquent testimony before Congress detailing her ordeal.

In another example, an insurance agent advised a couple that they would be denied coverage for any more pregnancies since they had a 25 percent chance that their children would have a fatal disease.

In Florida, a state public health worker improperly brought home a computer disk with the names of 4,000 HIV positive patients. The disks were then sent to two Florida newspapers.

Medical privacy issues in today's world also take on international implications. Canada and the nations of Europe are taking concrete steps to protect the confidentiality of computerized medical records.

Our nation lags so far behind others in its protection of medical records that companies in Europe may not be allowed to send medical information to the United States electronically. European countries--through an EU privacy directive--are ensuring that private medical records are kept private. The EU prohibits the transfer of personal information from Europe to the U.S. if the EU finds U.S. privacy law inadequate. The implications for U.S. trade are staggering.

The legislation we are introducing today addresses the issues I have outlined to close the existing gaps in federal privacy law to cover personally identifiable health information.

MIPSA is broad in scope--it applies to medical records in whatever form--paper or electronic. It applies to each release of medical information--including re-releases. It comprehensively covers entities other than just health care providers and payers, such as life insurance companies, employers and marketers and others that may have access to sensitive personal health data.

It establishes a clear and enforceable right of privacy with respect all personally identifiable medical information including information regarding the results of genetic tests.

It gives individuals the right to inspect, copy and supplement their protected health information. Today, only 28 states grant this right.

It allows individuals to segregate portions of their medical records, such as mental health records, from broad viewing by individuals who are not directly involved in their care.

It gives individuals a civil right of action against anyone who misuses their personally identifiable health information. It establishes criminal and civil penalties that can be invoked if individually identifiable health information is knowingly or negligently misused.

It sets up a national office of health information privacy to aid consumers in learning about their rights and how they may seek recourse for violations of their rights.

It creates a set of rules and norms to govern the disclosure of personal health information and narrows the sharing of personal details within the health care system to the minimum necessary to provide care, allow for payment and to facilitate effective oversight. Special attention is paid to situations such as emergency medical care and public health requirements.

We have tried to accommodate legitimate oversight concerns so that we do not create unnecessary impediments to health care fraud investigations. Effective health care oversight is essential if our health care system is to function and fulfill its intended goals. Otherwise, we risk establishing a publicly-sanctioned playground for the unscrupulous. Health care is too important a public investment to be the subject of undetected fraud or abuse.

MIPSA also extends to all research facilities using personally identifiable information the current requirements met by federally funded researchers. I am troubled that research is viewed by some as an area where privacy rights should be sacrificed and consent not required for use of individually identifiable health information. If there are to be any exceptions in a federal medical privacy law for research using personally identifiable health information, the Congress and the American people need to understand better why this may be necessary. To address this concern our bill mandates an evaluation of the waiver of informed consent that is allowed under current regulations.

It does not preempt state laws that are more protective of privacy. This is consistent with all other federal civil rights and privacy laws.

It prohibits law enforcement agents from searching through medical records without a warrant. It does not limit law enforcement agents to gain information while in hot pursuit of a suspect.

I know that these are important matters about which many of us feel very strongly. It is never easy to legislate about privacy.

I invite other Members of Congress, federal agencies and outside interest groups to examine the legislation we have introduced today. This bill is a work in progress and we welcome any comments or suggestions to make improvements to this legislation.

I am pleased that my colleague from Vermont, the Chairman of the Labor and Human Resources Committee, Senator Jeffords, has already held two hearings this year on the issue of medical privacy. The clock, however, is ticking and other Members of Congress need to join us to move forward to pass strong and workable medical privacy legislation.

As policy makers, we must remember that the right to privacy is one of our most cherished freedoms--it is the right to be left alone and to choose what we will reveal of ourselves and what we will keep from others. Privacy is not a partisan issue and should not be made a political issue. It is too important.

Back
U.S. Postal Address Please select a destination: