If I were to ask you to picture where your medical records are right this moment, you probably would imagine a file that looks somewhat like this (manila folder) containing the documentation of your health history which includes some of the most personal and intimate details of your life. You probably imagine this file in your doctor’s office or your local hospital locked away in a filing cabinet, the keys to which dangle around the neck of trustworthy nurse who looks like your mother, the guardian of your medical records. If this is the image you are picturing, you are sorely mistaken. The time has passed when your medical records were as safe as if they were in your mother’s arms.

Today doctor/patient confidentiality is rapidly eroding. With the stroke of a few keys on a computer or the swipe of a prescription drug card, our personal health information is being accumulated and tracked.

I was alarmed to read the story published in the Washington Post last year which described just how far we’ve come from the era when our medical records were safely locked away in the filing cabinet. The story was of a woman whose prescription purchases were tracked electronically by a pharmacy benefits management company two states away hired by her employer. With every swipe of her prescription-drug card she saved 50% on her prescriptions. At the same time, however sensitive, personal health information was being compiled without her knowledge, at the expense of her privacy! In turn, this data was used to inform her doctor that she would be enrolled in a "depression program", monitored for continued use of anti-depression medications and targeted for "educational" material on depression. Most alarming, all of this was done at the behest of her employer who had unfettered access to all this sensitive information.

This women was NOT suffering from a depression-related illness -- her doctor prescribed the medication to help her sleep. She had NO IDEA that by signing up for her managed care plan she was signing up to have her personal health information disclosed to individuals she had never even met!

In an HMO today, anywhere from 80-100 employees may have access to a patient’s medical record according to the Privacy Rights Clearinghouse in San Diego California. With such unrestricted access to one’s personal health information, it’s impossible to separate the health privacy keepers from the "just curious" peepers.

And then of course there are the information reapers.

The ability to compile, store and cross reference personal health information, has made your intimate health history a valuable commodity. In 1996 alone, the health care industry spent an estimated $10 to $15 billion on information technology. Currently there are no laws constraining these information reapers as they delve into large data bases filled with the secrets of millions of individuals. These data bases represent a treasure chest to the information reapers and every aspect of your medical information represents a precious jewel to be mined for commercial gain!

Americans should have the right to say "no" to the reuse of this information.

In a recent national survey by the California Health Care Foundation, 60% of Americans would NOT be inclined to grant access to their personal health information to a hospital offering a preventive care program. Even if a health insurance company offered them better benefits at a lower cost, Americans were not inclined to allow for blanket disclosure of their health information.

Currently when an individual signs on to a health plan there is often no choice to decline enrollment in preventive care or disease management programs or to limit access in any way to one’s personal health information. It’s either agree to disclosure or NO COVERAGE! Americans shouldn’t have to face a choice between their health and their privacy! Three fundamental elements would be included in any consent for disclosure of personal health information. These elements are embodied in a proposal I call Knowledge, Notice, No. Simply stated, individuals should have a right to full knowledge of who will have access to their medical information. They should be given notice for what purpose disclosure of their health information is needed, and they would have the right to say NO to disclosure of information to parties not directly involved with their health care.

I am pleased to stand today with my colleagues Senators Leahy and Kennedy as we introduce the Medical Information Protection and Security Act in both the House and the Senate.

We have 164 days to implement a strong federal medical privacy law. Today we come one step closer to modernizing medical privacy policy for the information age.

I thank you for your concern on this issue and I look forward to addressing your questions.