HEALTH CARE PERSONAL INFORMATION NONDISCLOSURE ACT OF 1999 -- (Senate - March 15, 1999)

[Page: S2681]

---

    Mr. JEFFORDS: Mr. President, I rise today to speak about the Health Care Personal Information Nondisclosure Act, or the Health Care PIN Act of 1999, which I introduced last Wednesday with my friend, Senator DODD. This timely piece of bipartisan legislation sets the necessary national standards that will secure the privacy and confidentiality of every American's medical records.

   This legislation clarifies patients' rights to copy or amend their medical records. The legislation also encourages insurers and providers with large sets of records to implement their own safeguards and protections from misuse. It sets clear guidelines for the use and disclosure of medical information by health care providers, researchers, insurers, and employers. Most importantly, it requires that individually identifiable health care information not be released without the patient's informed consent.

   In the past few decades, the delivery and administration of medicine have evolved by leaps and bounds. Technological advances have contributed to a better and more efficient health care system. They create new opportunities for the prevention and treatment of disease. Electronic pharmaceutical records make it possible for pharmacists to identify potential drug interactions before they fill a prescription. Telemedicine will make it possible for patients at Copley Hospital in Morrisville, Vermont, a small village of 2,000 people, to benefit from the expertise of physicians fifty miles away at Fletcher-Allen, Burlington, Vermont's nationally known academic medical center.

   The improved access to this information does not come without a risk. We often don't know with any certainty, who has access to our private records. The establishment of large computer databases, some with millions of patient records, has not only allowed for new, life-saving medical research but has increased the potential for misuse of private medical information.

   Last month, for example, at the University of Michigan Medical Center, several thousand patient records were inadvertently posted on an Internet site. Private patient records containing names, addresses, employment status, and treatment for specific medical conditions lingered on the Web for two months. Fortunately, in this case, the lapse was discovered before anyone accessed the site, or any damage done.

   The Health Care PIN Act establishes clear guidelines for the use and disclosure of medical records by health care providers, researchers, insurers, and employers. With very few exceptions, individually identifiable health care information should be disclosed for health purposes only, which includes the provision and payment of care and plan operations. In order to protect patients from abuse and exploitation, this bill imposes civil and criminal penalties on individuals who use information improperly through unauthorized disclosure.

   Other nations have taken steps to protect patient privacy. In 1995, the European union enacted the Data Privacy directive. This Directive requires all 15 European Union member states establish consistent national privacy laws. This initiative raises the concern that the European Union could limit the flow of data between countries that do not provide for comparable protections. If we do not act promptly, this directive may act as a deterrent to the international exchange of health information and restrict the ability of American companies to compete overseas.

   Even more pressing is the Health Insurance Portability and Accountability Act of 1996, also known as the Kassebaum-Kennedy Act, which established several mandates relating to medical records privacy. One provision set August, 1999, as the deadline by which Congress must act to ensure the confidentiality of electronically transmitted data. If, for some reason, Congress fails to act by this date, HIPAA includes a default provision directing the Secretary of Health and Human Services to promulgate regulations. We are introducing this bill now and we must act as soon as possible in order to meet the HIPAA deadline.

   Our bill recognizes that some states, like my home state of Vermont, have already taken the lead in the area of privacy protections. Last year's bill provided a uniform federal standard for protected health information, with the exceptions of state mental health and public health laws. In addition to these protections, this bill will also allow stronger medical records privacy laws enacted prior to the effective date of the act to remain in place.

   Senator DODD and I look forward to working with members of the Committee on Health, Education, Labor, and Pensions, as well as others who have contributed time and effort to this issue, as we move forward to enact this necessary and bipartisan Health Care PIN Act of 1999.

END