Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


Confidentiality Of Health Care Information Before The Senate Committee on Health, Education, Labor & Pensions

April 27, 1999


Mr. Chairman, this is another Y2K Week in the Senate. But as you and I and others who have been in the trenches on the medical privacy issue know, the Millennium Bug is not the only computer-related problem Congress faces this year.

We are fast approaching the deadline that Congress set for itself of August 21 this year to solve the multitude of privacy glitches in the handling of our medical records both electronic and paperbased.

If we do not act, this responsibility falls to the Secretary of Health and Human Services. Medical records privacy is public policy at an elemental level. Setting these standards is far too important to punt to the bureaucracy. Congress must make these choices.

The issues we face in passing legislation in this area are not new. In 1993, when I chaired the Judiciary Committee's Subcommittee on Technology and the Law, I convened hearings on the privacy of medical records and new technologies. We learned a great deal about how technology is overtaking our privacy rights.

As an Information Age enthusiast, it became clear to me that technology can become a powerful tool for protecting our privacy rights, or it can become a powerful agent in eroding them. The answer is in the choices we make in making technology our servant, instead of our master.

In 1996, during consideration of the Kassebaum/Kennedy health insurance portability bill, Senator Bennett and I worked very closely to include medical privacy protections in that law. In the end, what we were able to include is the deadline for action that is now looming.

At a time when our leading computer chip and software companies have built secret identifiers into their products to trace our every move in cyberspace without our consent, it is time for Congress to wake up to the erosion of the public's medical privacy rights. The ability to compile, store and cross reference personal health information has made our intimate health history a valuable commodity. In 1996 alone, the health care industry spent an estimated ten to fifteen billion dollars on information technology.

Mr. Chairman, you may remember the recent article from The Wall Street Journal that I cited at the Vermont field hearing you held in March, about a company that is "seeking the mother lode in health 'data mining.'" This company wants to get medical data on millions of Americans to sell to other companies. Today there are no laws constraining the creation of large privatelyowned medical data bases filled with sensitive personally identifiable information on any of us. Information on all of us, no matter how private, is like gold to these "data miners."

As Congress works toward passing legislation, the privacy interests of the American public will be at odds with powerful economic interests and with the penchant of large organizations and complex systems to control this kind of personal information. Well-funded and sharply focused special interests often win in a match-up like this. We must work together to make sure that the grassroots stake that our constituents have in these decisions is not overrun by the highpowered and wellfunded lobbying efforts of these special interests. We must not let threats to privacy rise to the point that the only way for a person to ensure confidentiality is to avoid seeking medical treatment.

Mr. Chairman, under your leadership the work is underway to try to bridge the gaps between our legislative efforts to address this issue. I look forward to seeing the product of your committee's work in this area. I certainly offer any assistance that I or my staff can provide in ironing out some of the differences in our respective bills before this issue reaches the Senate floor for debate.

There are many similarities between the bill that Senators Kennedy, Daschle, Dorgan and I introduced, which is S. 573, the Medical Information Privacy and Security Act (MIPSA), the bill that you and Senator Dodd introduced, and the legislation that Senators Bennett and Mack introduced.

In addition to similar provisions there are also several nuanced differences that I believe can be easily resolved. An issue I include in this category, which might surprise you considering some of the rhetoric that is sometimes thrown around these hallways, is health research. Some special interests have used the very important issue of health research as a red herring to try to kill the passage of any medical privacy law, or at least to kill any strong protections for consumers.

We all support health research. We all agree that once medical information is deidentified for research or any other purpose it falls out of the scope our of legislation.

The bill Senator Kennedy and I introduced keeps in place the current review structure for health research at institutions using federal funding, such as NIH. We ask the Secretary of Health and Human Services to examine whether this system can be improved. We also extend the review structure, and its consumer protection components, to privately funded research.

The NIH is often invoked, and I believe rightly so, as the best health research institution in the world so I would like to hear a reasonable argument as to why following its privacy methods would be stifling to other research.

Another issue that has been used as a red herring is the idea of "single" versus "multiple" authorizations from patients for treatment, payment and other uses of identifiable health information. All of the bills before the Senate allow for a single authorization for treatment and payment. Where we differ, and I do believe we can find agreement on an appropriate policy, is the exception in the other bills for "health care operations." At present, however, this newly invented term is far too broad in scope and does not include the necessary accountability measures to protect against anyone from calling their activity using identifiable data a "health care operation" and getting around the spirit of the law.

None of us want to stop the ability of a health provider or health facility to provide effective health care. But those in the health care industry that are seeking this broad escape clause from patient privacy protections must justify the need for complete datasets of identifiable information for this broad range of management functions. At present they have not.

We all agree that uses of medical information outside the scope of treatment and payment and possible management functions that are not related to the provision of care for patients would require additional authorization.

Standards for law enforcement access to medical records is another area where we all seem to be in basic agreement. We may differ in our exact approach, but I hope with the constructive input of the U.S. Department of Justice we can effectively balance the privacy rights of individuals and the sometimes urgent need for law enforcement access to this information.

Other issues may not be so simple to resolve except on the Senate floor, such as preemption of state law. We all agree, however, that "weaker" health privacy laws should be preempted.

So by virtue of passing a federal law we are going to foster a great deal of the uniformity that the health care industry is seeking.

Mr. Chairman, the bill you have introduced, cosponsored by Senator Dodd, and the bill that Senator Bennett has introduced address the issue of preemption differently. While I respect that we have differences of opinion, my view is that addressing concerns about medical privacy is not static. Preempting state consumer protection law is not the way Congress has dealt with this type of issue in the past. For instance, consumer protections in financial and communications law set a federal floor — not a preemptive ceiling. The legislation we enact should not change this precedent.

The legislation that Senator Kennedy and I introduced does not preempt any federal or state law or regulation that offers greater privacy safeguards. We propose a floor rather than a ceiling, achieving two goals:

First, as I mentioned, having a federal privacy floor will eliminate much of the current patchwork of state laws governing the exchange of medical information, and will replace the patchwork with strong, clear, basic standards that will apply to everyone.

Second, and this is where we differ, MIPSA makes room for the many possible future threats to medical privacy that we may not even anticipate today. As medical and information technology moves forward into the next century we must maintain the public's right to meet future technological challenges to privacy with stronger medical privacy laws closer to home.

I am amazed by an argument used in support of preempting stronger state law. It seems that now, if someone disagrees with a strong consumer protection statute in a particular state that the answer is to come to the federal level and ask us to pass a weaker law and preempt the stronger state law. The idea that we should start encouraging our constituents to come to us at the federal level anytime they disagree with a strong state consumer protection law and we will just wipe out the work and expressed interests of states is incredulous.

In our home state of Vermont, like many other states, we have a cancer registry, which I have worked to expand as a tool to help find a cure for this dreadful disease. The National Association of Insurance Commissioners has pointed out that our state statute requires that the Health Commissioner keep confidential all information reported to the cancer registry, with exceptions for the exchange of confidential information with other states' cancer registries, federal cancer control agencies, and health researchers, under specified conditions.

The provisions of this Vermont law arguably would be overridden by a federal privacy law that totally preempted state law or did not include state cancer registry laws as an exception to federal preemption.

In my experience it is usually the case that the best ideas for federal laws in any area begin in the states. Preempting the ability of states to address medical privacy concerns that will arise in the future either because technology has changed, or by virtue of a fact that no federal law is going to be perfect is wrongheaded. We must continue to allow states to be the laboratories for progress and innovation.

Mr. Chairman, I have testified before this committee many times so I will not again elaborate on the need for comprehensive federal medical privacy legislation. By now, the need should be clear.

My message today is that we must act now. The public's interests – not special interests – must be paramount as we proceed. Passing medical privacy legislation is too important to allow it to become a special interest wish list or a partisan issue.

Back
U.S. Postal Address Please select a destination: