I am pleased to write to you to comment on the Department of Health and Human Services. (HHS) proposed rule on standards for privacy of individually identifiable health information that was published in the Federal Register on November 3, 1999.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This law mandated the computerization of our health care system while recognizing that the increased use of technology would lead to an erosion of personal privacy unless strong action was taken. The law established an August 21, 1999 deadline for Congress to pass comprehensive medical privacy legislation. To my profound disappointment, Congress failed to meet its own, self-imposed deadline. Under HIPAA, if Congress failed to meet its own deadline, your department was then required to establish medical privacy guidelines administratively. Your department issued a proposed rule that is an important step to providing the protections that so many Americans expect, and deserve.

For the past several years I have been engaged in efforts to make sure that Americans. expectations of privacy for their medical records are fulfilled. I believe that advances in medical and information technology can be harnessed to enhance our privacy protections if this is done correctly.

It is crucial that we are successful in creating privacy protections, or the fear that confidentiality is being compromised will deter people from seeking medical treatment and could stifle technological or scientific development. I have introduced comprehensive medical privacy legislation, the Medical Information Privacy and Security Act (MIPSA), on two occasions, first in November, 1997, (S.1368), and then again in March, 1999, ( S.573). Both of those comprehensive bills were referred to the Senate Health, Education, Labor and Pensions Committee (HELP).

I have testified before the HELP Committee on a number of occasions urging action on medical privacy legislation. I have attempted to highlight the need for Congressional action on this issue through several forums, including speaking on the Senate floor on several occasions to several appearances before the news media. I have expressed my very strong opposition to any efforts to extend the Congressional deadline in several letters to President Clinton. Just this past summer, I was one of the leaders in a successful effort to remove harmful medical privacy language from a financial services bill. As you can see, this issue is very important to me.

When your Department. s final rule goes into effect, Americans will, for the first time, enjoy some federal protection of their personal medical information. Although the proposal takes the first step toward creating a foundation of privacy protections, there are some areas where the rule is inadequate. Some of these needed improvements can be made by HHS while some will require statutory changes to lift the restrictions contained within HIPAA. For this reason, even if you make all the improvements within your authority, Congress must still pass privacy legislation to ensure that patients. records are fully protected. Patients must have the security of knowing that their personal and private information remains just that - personal and private.

I look forward to working with you and others as I continue to push for Congressional action on this important issue. In the meantime, I urge you to issue a final medical privacy regulation as quickly as possible.

I know HHS has received a significant number of comments on the proposed rule. I am sure that you will give consideration to each of these comments. However, I would like to draw particular attention to the comprehensive comments submitted by the Health Privacy Project at Georgetown University. These comments are very thorough and the recommendations for change are thoughtful and worthy of close consideration. The following are my comments on specific sections of the proposed rule.

Applicability

This section addresses two important issues: what entities are covered; and, what types of health information should be protected under the proposed rules.

Covered Entities

The limited authority delegated to HHS by HIPAA allows for the proposed regulation to only cover health care providers, health care plans and health care clearinghouses. Unfortunately, a large number of entities that have contact with identifiable health information will continue to be unregulated. This is one of the most pressing reasons that Congress must still work to pass a comprehensive medical privacy law that will be applicable to all entities that generate, maintain or receive protected health information.

Protected Health Information

I agree with your approach to apply privacy protections to individually identifiable information on computer printouts, or discussed orally, as well as those records transmitted or maintained electronically by a covered entity. It makes sense to continue to protect this electronically transmitted information when it is printed out or conveyed verbally. This information is personal and private regardless of how it is communicated.

I am very concerned that the proposed rule does not extend protection to medical information that has never been maintained or transmitted electronically. Although HIPAA focused on electronic transmission of information, I agree with your analysis that the statute does extend authority to your agency to promulgate privacy standards to all individually identifiable health information, in any form. As the proposed rule indicates, this could include medical information that is in a non-electronic form.

I strongly urge you to exercise your full statutory authority and revise the proposed rule to extend its protections to include medical records maintained by a covered entity in paper form.

Treatment, Payment and Health Care Operations

I strongly disagree with your decision to take away the right of individuals to authorize the disclosure of their individually identifiable health information for the use of treatment, payment and health care operations. I agree with your desire to establish a rule that will make health information relatively easy to use for health-related purposes. However, I believe that goal can be accomplished by requiring that a patient to be a part of this process. The approach taken in the proposed rule allows for a free-flow of information for treatment, payment and health care operations without any input from the patient. The patient is essentially cut out of the process at the most critical stage.

I urge you to revise the proposed rule to require patient authorization so that patients can have the opportunity to understand the privacy policy that is in place from the beginning and consent to it.

Minimum Necessary Use and Disclosure

A strong medical privacy rule should guarantee that individually identifiable health information will be used and disclosed only to the minimum extent necessary in order to achieve the legitimate purpose for which the information was first obtained. The legislation I have sponsored, S.573, would mandate such an approach and I am pleased that the proposed rule reflects the importance of using only the information that is necessary.

Health Oversight

I have concerns that the health oversight section of the proposed rule does not contain an adequate number of limits to the access and re-use of protected health information. I urge you to revise the final regulation to include a bar on the re-use and re-disclosure of protected health information obtained during health oversight activities in subsequent actions against individuals. The bill I have sponsored, S. 573, includes such a bar that will prevent health oversight agencies from using the information they gain during oversight investigations in any unrelated action against an individual.

Law Enforcement

Although I recognize a positive shift made in your department. s approach to restricting law enforcement access to individually identifiable health information, I do not believe that this section of the proposed rule establishes sufficient protections for individuals. Prior to introducing my medical privacy legislation, I carefully reviewed the numerous and complex issues surrounding law enforcement access to personal health information. I came to determine that a covered entity should only be allowed to disclose protected health information to an investigative or law enforcement officer pursuant to a warrant issued under Federal Rules of Criminal Procedure, an equivalent state warrant, a grand jury subpoena, or a court order as outlined in Section 208 of S. 573. Generally speaking, law enforcement should be required to obtain legal process issued by a neutral magistrate upon showing of probable cause.

Federal law establishes protections for cable and video records that are much stronger than the protections afforded to health information under this proposal. Medical records contain information that is of the utmost personal and private nature, and access to this information, including access by law enforcement, must be limited to the cases where it is necessary. The issue is fundamental . many people will be reluctant to seek medical care due to inadequate privacy protections. As a former prosecutor, I understand the need to have access to information to carry out the job of protecting society from criminals. However, as an individual, I do not want personal medical information made available to any law enforcement officer who flashes a badge and asks for it.

Research

Health research is an essential component of any quality health care system. In order to further scientific discovery it is important for medical researchers to have access to necessary information. However, it is also essential that individuals be guaranteed protection of their personal medical information. The proposed rule establishes a good framework for regulating researcher efforts by building upon the "Common Rule" regulations that currently govern federally-funded research or research that is conducted in anticipation of FDA review. Although this an important step toward balancing the needs of researchers and the protection of patients, this is a complex issue that needs close evaluation. I urge you to give serious consideration to the comprehensive comments and recommendations submitted by the Health Privacy Project on the issues surrounding research.

Access for Inspection, Copying, Amendment or Correction

A strong medical privacy rule must ensure that a patient has the right to view and to amend or correct his or her medical information if is not accurate. This is an essential component of medical privacy protection because individually identifiable health information is relied upon not only for treatment purposes, but also for insurance and other purposes.

When an individual has requested to amend his or her medical information and that request has been denied, I believe that it is essential for recipients of the disputed health care information to have access to the patient. s requested amendment or correction. As drafted, the proposed rule requires that a statement of disagreement only be provided with future disclosures of the contested information. I urge you to revise the draft rule to require that a covered entity that denies an individual. s request to correct or amend his or her medical information provide this statement of disagreement to previous recipients of the disputed health care.

Accounting of Disclosure

I am pleased that the proposed rule will grant an individual the right to obtain an accounting of the disclosures that have been made of his or her protected health information and for what purpose the information was disclosed. The proposed rule attempts to balance the right for a patient to know when their medical information has been disclosed, while not burdening the covered entities. However, I believe that an individual should have the right to know who has seen his or her health information and for what purpose. I urge you to revise the proposed rule to allow an individual to have the right to review the full trail of documentation regarding who has had access to what information. This right of access should extend to a full audit trail where one exists.

Relationship to State Laws

I strongly support the approach of HIPAA and the proposed regulation that federal medical privacy protections act as a floor, not a ceiling. Under this approach, weaker state laws would be preempted, while state laws that offer more protection than the federal regulation will remain in place. Thus, states will be allowed to pass medical privacy laws that reflect the changing times, or new uses of technology. The proposed regulation also allows a state to pass laws that consider any special needs of its citizens. I have been a champion of states. rights over my twenty-five year career in the U. S. Senate. One of the highlights of my medical privacy legislation is a provision similar to the proposed rule where any federal privacy protections would establish a floor, not a ceiling.

Due to my strong support for preemption of weaker state laws only, I am concerned about a waiver provision contained within the proposed rule. I recognize that HIPPA sets forth a standard for states to apply for exceptions to the regulation preemption provision. However, I urge you, as Secretary, to limit exceptions to only those cases where it is absolutely necessary. I feel very strongly that the preemption provisions are essential to protect an individual. s privacy and am concerned that proponents of weaker state laws will use this waiver process to avoid complying with the regulation.

Compliance and Enforcement

Ideal medical privacy protections would allow an individual to bring suit under a private right of action to protect their rights. However, I agree that statutory limitations established by HIPAA prevent your department from creating this ideal individual private right of action. I believe that a private right of action is an essential enforcement tool for any strong privacy protections because it empowers an individual to seek redress when his or her privacy has been violated. The limitations established by HIPAA in this area reinforce, once again, why Congress must pass comprehensive federal medical privacy legislation.

I am concerned, however, about whether the Office of Civil Rights (OCR) at HHS, currently a relatively small office, has the adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. Due to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations.

Although the effective date of this rule is not until two years from the issuance of the final regulation, it is important for those entities covered by the new guideline to have the necessary technical assistance to come into compliance. Now is the time for OCR to begin building the necessary infrastructure to enforce the regulation effectively.

As you know, OCR, which currently enforces civil rights law in the human services setting, has been chronically underfunded. The FY 2000 budget of $22 million is the same as OCR. s budget in 1980. During this period, OCR. s enforcement responsibilities have increased substantially with the passage of the Americans with Disabilities Act, welfare reform and other laws and regulations affecting civil rights issues. Adequate funding for this office is essential and in a December 20, 1999 letter to Jacob J. Lew, Director of the Office of Management and Budget, I highlighted the necessity of increased funding for OCR for implementation of the medical privacy regulation. I was disappointed to see that my request for increased funding for OCR was unmet in President Clinton. s FY 2001 proposed budget. As a result, I plan to do all that I can to ensure that this essential office within HHS has adequate funding to carry out the critical responsibility of enforcing this rule.

Conclusion

As HHS works on a final medical privacy rule and Congress moves forward to try and pass comprehensive medical privacy legislation, we must remember that the right to privacy is one of our most cherished freedoms. It is the right to be left alone and to choose what we will reveal of ourselves and what we will keep from others. Privacy should not be a political issue. It is too important and too basic to the individual rights we cherish as Americans.

The proposed rule by the Administration establishes a foundation of privacy protections, while also outlining the important ideas and arguments that will enhance the debate about how to best protect individually identifiable health information, while also allowing for the flow of information that is necessary to allow for an efficient health care system. While I have pointed out some areas of specific concern in the draft regulation, I do believe it is an important step forward and will establish some significant new protections for patients.