Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


The Medical Information Privacy and Security Act (MIPSA)

S. 1368

Sponsors: Senator Patrick Leahy and Senator Edward Kennedy

Introduced: November 4, 1997

Setting Information-Age Parameters For Medical Privacy

What does MIPSA Do?

If enacted MIPSA would be the first comprehensive federal health privacy law. It would close the existing gaps in federal privacy law to ensure protection of personally identifiable health information. It is broad in scope it applies to medical records in whatever form paper or electronic. It applies to each release of medical information including rereleases. It covers doctors, hospitals, researchers, insurers and many other entities. More specifically MIPSA:

  • Provides individuals with a comprehensive set of rights of inspection and an opportunity to amend their own records — which is currently only permitted by 28 states. Inability to review your own records has resulted in major problems when the records are incorrect but the patient is unaware of the mistake.

  • Establishes a clear and enforceable right of privacy with respect to all personally identifiable medical information including information regarding the results of genetic tests.

  • Creates a set of rules and norms to govern the disclosure of personal health information and narrows the sharing of personal details within the health care system to the minimum necessary to provide care, allow for payment and to facilitate effective oversight. Special attention is paid to emergency medical situations, public health requirements, medical research and law enforcement.

  • Sets up a national office of privacy to aid consumers in learning about their rights and how they may seek recourse for violations of fair information practices as recommended by the recent National Research Council report.

  • Allows individuals to segregate portions of their medical records, such as mental health treatment records, from broad viewing by health personnel not directly involved in their care, or by others without legitimate access.

  • Leaves in place the current Institutional Review Board (IRB) system for federally funded research as well as extending these rules to nonfederally funded research. It also requires a review of current IRB practices to see if improvements can be made.

  • Gives individuals a civil right of action against anyone who misuses their protected health information; establishes criminal and civil penalties for intentionally or negligently using individually identifiable health information.

  • Protects the rights of states to impose even stronger standards more protective of privacy than the federal bill. This approach to preemption is consistent with those taken in all other federal civil rights and privacy laws.

Urgency In Enacting Federal Medical Privacy Legislation

Absence of Current Law

No comprehensive federal law currently exists to safeguard the confidentiality of personally identifiable health information. Few states have comprehensive health privacy laws; in fact only one-third of the states offer privacy protections and only 28 states grant individuals the right to see and copy their own medical records. A consensus has long existed that federal health privacy law is needed. Numerous federal advisory commissions and agencies have recommended enactment of a federal health privacy law, and a wide range of consumer, privacy and health care organizations and providers agree.

In its most recent report, the National Research Council found that "patients have little control over the ways in which information about their health is collected, used or disseminated" and that "few controls exist to prevent [personally identifiable health information] from being used in ways that could harm patients or invade their privacy." The current trend toward integrated health care delivery systems and increased automation of health records places individual health records privacy at even greater risk.

Administrative Simplification

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes administration simplification provisions, insisted upon by the House, which require a system of health care information exchanges by computers and through computer clearinghouses and data networks by February 1998. The act gave industry what it needed to move rapidly toward computerization of medical records without privacy protections in place.

During debate on that bill, former Majority Leader Bob Dole put his finger on this problem when he remarked that a "compromise of privacy" which sends information about health and treatment to a national data bank without a person's approval would be something that none of us would accept. Unfortunately, this exactly what is happening.

Legislative Mandate to Pass A Bill

The HIPAA included a provision mandating either that the Congress enact privacy protections within 36 months of passage (by August of 1999), or that the Secretary of HHS promulgate regulations. However, even under this scheme privacy rules do not take effect until two years after the mandatory computerization takes effect; the Secretary is only required to address electronic exchanges which would not cover such breeches in privacy as the incident in which the medical records of a current member of Congress were faxed to the New York Post. Senators Leahy and Kennedy believe that national policy on medical privacy should be addressed by Congress, not by administrative regulations.

European Union Directive

The EU data protection directive will prohibit the transfer of medical and other personal data from the EU to this country if the EU determines that the United States lacks adequate privacy safeguards. The current absence of a federal privacy law raises the strong possibility of a serious interruption in trade if, through inaction, the United States continues to be viewed as a barrier to transporter data flow.

Real-Life Examples Illustrating The Need For MIPSA

  • A current member of Congress had her medical records faxed to the New York Post on the eve of her primary. She and her parents woke up to a front-page story of her attempted suicide.

  • A state employer in Pennsylvania got access to an employee's prescription records and shared information within the agency that the employee was taking AZT, a commonly prescribed drug for people with AIDS. The employee sued, but the court found that under current law the employee had no right to the privacy of his medical records.

  • A state of Florida public health worker improperly brought home a computer disk with the names of 4,000 HIV-positive patients. He sent the names to two Florida newspapers.

  • Without notice to an employee who had sued her employer for emotional distress, an employer subpoenaed and received copies of the employee's complete gynecologist record.

  • In order for her client to be reimbursed for therapy under her HMO plan, a psychotherapist was forced to disclose her clinical notes that contained intimate details of her client's life, including a history of sexual abuse and a suicide attempt. This information was entered into a computer database accessible to nearly all of the HMO's employees.

Exceptions for the Disclosure of Protected Health Information

Without First Obtaining an Individual's Authorization

There are a few limited exceptions to MIPSA's general rule prohibiting the disclosure of protected health information absent a valid authorization. In such cases, however, the entity may only disclose the minimum amount of information necessary, and the recipient may only use the information for the purpose for which it was disclosed. These exceptions include:

  • Emergency circumstances -- an entity may disclose protected health information absent an individual's consent if there is a threat of serious harm to the individual or to another person and disclosure of the protected health information could allay or remedy the threat.

  • Public health -- an entity may disclose protected health information absent an individual's consent if doing so could assuage a threat to the public health.

  • Protection and advocacy agencies -- an entity may disclose protected health information to a protection and advocacy agency in order to protect an individual from abuse or neglect.

  • Oversight -- an entity may disclose protected health information to an oversight agency for oversight purposes so long as strict confidentiality measures are taken.

  • Law enforcement -- an entity may disclose protected health information to law enforcement personnel if the law enforcement personnel have a warrant or other comparable court order for the information.

Security Measures Under MIPSA

The bill does not require an entity to adopt any specific technical security measures, but rather, requires an entity to establish and maintain "appropriate administrative, technical, and physical safeguards." What is appropriate depends on which technology is used to store information (e.g., paper, computers, networks) and on the state of the art. An example is encryption, which may soon become a commonly used security measure when protected health information is exchanged. As better security measures are developed, they can implemented without the need for amendments to the law. MIPSA requires the Office of Health Information Privacy to develop and disseminate model guidelines for the establishment of security safeguards.

Significant Ways that MIPSA (S.1368) of the 105th Congress differs from Bennett-Leahy (S. 1360) of the 104th Congress

While there many similarities in the basic concepts of protecting medical records, below are some of the most significant differences between the Medical Information Privacy and Security Act (MIPSA), introduced November 4, 1997 by Senators Leahy and Kennedy and the Bennett-Leahy bill from the 104th Congress:

MIPSA, S. 1368, in the 105th Congress:

  • Gives individuals the right to view their medical records without exception.

  • Allows individuals to self-pay if they do not want their personal health information to be disclosed to a health insurer for payment.

  • Allows individual to segregate portions of their medical record, such as mental health treatment records, from broad viewing by individuals not directly involved in their care.

  • Creates a federal Office of Health Information Privacy to act as a clearinghouse for consumers to obtain information about their medical privacy rights and to provide rigorous enforcement and oversight of these rights.

  • Requires an evaluation and, if appropriate, modification of the current Institutional Review Board (IRB) waivers of informed consent for the purposes of medical research using personally identifiable health data.

  • Does not preempt state laws that are stronger on privacy. This is consistent with all other federal civil rights and privacy laws.

Back
U.S. Postal Address Please select a destination: