Medical Information Privacy and Security Act (MIPSA

The Medical Information Privacy and Security Act (MIPSA)

Setting Information-Age Parameters For Medical Privacy

March 10, 1999

What does MIPSA Do?

If enacted MIPSA would be the first comprehensive federal health privacy law. It would close the existing gaps in federal privacy law to ensure protection of personally identifiable health information. It is broad in scope it applies to medical records in whatever form paper or electronic. It applies to each release of medical information including rereleases. It covers doctors, hospitals, researchers, insurers and many other entities.

Patient Privacy Rights under MIPSA include:

It does NOT preempt any federal or state law or regulation that offers GREATER privacy safeguards. We propose a floor rather than a ceiling, achieving two goals: First, a strong federal privacy law will eliminate much of the current patchwork of state laws governing the exchange of medical information, and will replace the patchwork with strong, clear standards that will apply to everyone. At the same time MIPSA makes room for the many possible future threats to medical privacy that we may not even anticipate today. As medical and information technology moves forward into the next century we must maintain the public's right to seek stronger medical privacy laws closer to home.
The right view, copy and supplement their personal health information their own records — which is not guaranteed in all states. Inability to review your own records has resulted in major problems when the records are incorrect but the patient is unaware of the mistake.
Establishes a clear and enforceable right of privacy with respect to all personally identifiable medical information including information regarding the results of genetic tests.
Creates a set of rules and norms to govern the disclosure of personal health information and narrows the sharing of personal details within the health care system to the minimum necessary to provide care, allow for payment and to facilitate effective oversight. Special attention is paid to emergency medical situations, public health requirements, medical research and law enforcement.
Designates an office within the U.S. Department of Health and Human Services a national office of privacy to aid consumers in learning about their rights and how they may seek recourse for violations of fair information practices as recommended by the recent National Research Council report.
Allows individuals to segregate portions of their medical records, such as mental health treatment records, from broad viewing by health personnel not directly involved in their care, or by others without legitimate access.
Extends patient privacy protecting for federally funded research to protect all sensitive medical information being used for research, whether public or private. It also requires a review of current privacy protections for research to see if improvements can be made.
Gives individuals a civil right of action against anyone who misuses their protected health information; establishes criminal and civil penalties for intentionally or negligently using individually identifiable health information.

Urgency In Enacting Federal Medical Privacy Legislation

Absence of Current Law

No comprehensive federal law currently exists to safeguard the confidentiality of personally identifiable health information. Few states have comprehensive health privacy laws. A consensus has long existed that federal health privacy law is needed. Numerous federal advisory commissions and agencies have recommended enactment of a federal health privacy law, and a wide range of consumer, privacy and health care organizations and providers agree.

In its March 1997 report, the National Research Council found that "patients have little control over the ways in which information about their health is collected, used or disseminated" and that "few controls exist to prevent [personally identifiable health information] from being used in ways that could harm patients or invade their privacy." The current trend toward integrated health care delivery systems and increased automation of health records places individual health records privacy at even greater risk.

Administrative Simplification

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes administration simplification provisions, insisted upon by the House, which require a system of health care information exchanges by computers and through computer clearinghouses and data networks years before setting a deadline privacy protections for medical records are in place.

During debate on that bill, former Majority Leader Bob Dole put his finger on this problem when he remarked that a "compromise of privacy" which sends information about health and treatment to a national data bank without a person's approval would be something that none of us would accept. Unfortunately, this exactly what is happening.

Legislative Mandate to Pass A Bill

The HIPAA included a provision mandating either that the Congress enact privacy protections within 36 months of passage (by August of 1999), or that the Secretary of HHS promulgate regulations. However, even under this scheme privacy rules do not take effect until two years after the mandatory computerization takes effect; the Secretary is only required to address electronic exchanges which would not cover such breeches in privacy as the incident in which the medical records of a current member of Congress were faxed to the New York Post . We believe that national policy on medical privacy should be addressed by Congress, not by administrative regulations.

European Union Directive

The EU data protection directive will prohibit the transfer of medical and other personal data from the EU to this country if the EU determines that the United States lacks adequate privacy safeguards. The current absence of a federal privacy law raises the strong possibility of a serious interruption in trade if, through inaction, the United States continues to be viewed as a barrier to transporter data flow.

Exceptions for the Disclosure of Protected Health Information Without First Obtaining an Individual's Authorization

There are a few limited exceptions to MIPSA's general rule prohibiting the disclosure of protected health information absent a valid authorization. In such cases, however, the entity may only disclose the minimum amount of information necessary, and the recipient may only use the information for the purpose for which it was disclosed. These exceptions include:

Emergency circumstances -- an entity may disclose protected health information absent an individual's consent if there is a threat of serious harm to the individual or to another person and disclosure of the protected health information could allay or remedy the threat.

Public health -- an entity may disclose protected health information absent an individual's consent if doing so could assuage a threat to the public health.

Protection and advocacy agencies -- an entity may disclose protected health information to a protection and advocacy agency in order to protect an individual from abuse or neglect.

Oversight -- an entity may disclose protected health information to an oversight agency for oversight purposes so long as strict confidentiality measures are taken.

Law enforcement -- an entity may disclose protected health information to law enforcement personnel if the law enforcement personnel have a warrant or other comparable court order for the information.

Security Measures Under MIPSA

The bill does not require an entity to adopt any specific technical security measures, but rather, requires an entity to establish and maintain "appropriate administrative, technical, and physical safeguards." What is appropriate depends on which technology is used to store information (e.g., paper, computers, networks) and on the state of the art. An example is encryption, which may soon become a commonly used security measure when protected health information is exchanged. As better security measures are developed, they can implemented without the need for amendments to the law. MIPSA requires the Office of Health Information Privacy to develop and disseminate model guidelines for the establishment of security safeguards.

Key Differences Between MIPSA and Other Legislation

It does NOT preempt any federal or state law or regulation that offers GREATER privacy safeguards. We propose a floor rather than a ceiling, achieving two goals: First, a strong federal privacy law will eliminate much of the current patchwork of state laws governing the exchange of medical information, and will replace the patchwork with strong, clear standards that will apply to everyone. At the same time MIPSA makes room for the many possible future threats to medical privacy that we may not even anticipate today. As medical and information technology moves forward into the next century we must maintain the public's right to seek stronger medical privacy laws closer to home.
Gives individuals the right to view their medical records without exception unless they elect to waive that right as part of a clinic trial.
Prevents law enforcement agents from browsing through medical records without a warrant, a grand jury subpoena or a court order.
Allows an individual to selfpay if they do not want their personal health information to be disclosed to a health insurer for payment.
Allows individuals to segregate portions of their medical record from broader viewing.
Allows an individual to file a private right of action if their privacy rights have been violated, and to obtain appropriate injunctive and monetary relief.
Designates an office within HHS to aid consumers in learning about their rights and how they may seek recourse for violations of fair information practices as recommended by the recent National Research Council report.

Please select a destination: