HHS Announces Proposed Electronic Medical Records Privacy Regulations

(October 30, 1999) The Department of Health and Human Services released proposed regulations for protecting the privacy of electronic medical records on Friday, October 29. Congress considered several bills earlier this year, but failed to pass a comprehensive medical records bill.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provided that if Congress did not enact comprehensive national medical record privacy standards by August 21, 1999, the Department of Health and Human Services (HHS) would be required to promulgate regulations by February 21, 2000.

After years of hearings and debate, and the introduction of numerous bills, Congress did not enact legislation pursuant to HIPAA. The proposed regulations issued by HHS on Friday are part of the process set out in the HIPAA.

"The privacy of Americans is protected in their bank transactions, their credit card statements, and even their video rentals. Yet, until today, Americans had no federal privacy protections for their medical records," HHS Secretary Donna Shalala said in a press release. "These proposed standards are an important step forward in protecting the privacy of some of our most personal information."

"We cannot allow the absence of privacy protections to compromise the quality of care in our nation," Shalala said. "Our proposals will provide Americans with greater peace of mind as they seek care, yet they are balanced with the need to protect public health, conduct medical research and improve the quality of health care for the nation."

Secretary Shalala and President Clinton also held a press conference on the subject Friday morning at the White House. Clinton stated that "I am taking this action today because Congress has failed to act, and because a few years ago Congress explicitly gave me the authority to step in if they were unable to deal with this issue. I believe Congress should act. Members of Congress gave themselves three years to pass meaningful privacy protections, and then gave us the authority to act if they didn't. Two months ago their deadline expired. After three full years there wasn't a bill passed in either chamber."

"Even as we put forward our plan today, I think it is important to point out there are still protections, some of them, we can give our families only if there is an act of Congress passed. For example, only through legislation can we cover all paper records and all employers," said Clinton.

Congress did not enact legislation in part because there was considerable disagreement about some of the key aspects of the bills. Members of Congress could not agree several issues:

• How to treat access to medical records for research purposes.
• Whether to give individuals a private right of action if their rights have been violated.
• Whether to allow states the authority to enact additional laws regulating medical records privacy.

Some of the bills in the House were as follows:

• HR 1057, the Medical Information Privacy and Security Act, introduced on March 10, 1999 by Rep. Ed Markey (D-MA) and cosponsored by 41 Democratic Representatives and Delegates.
• HR 1941, the Health Information Privacy Act, introduced on May 25, 1999 by Rep. Gary Condit (D-CA), and cosponsored by 65 Democratic Representatives and Delegates. (There is substantial overlap in their cosponsorship lists of HR 1057 and 1941).
• HR 2470, the Medical Information Protection and Research Enhancement Act of 1999, introduced on July 12, 1999 by Rep. James Greenwood (R-PA), and cosponsored by 8 Republicans and 2 Democrat (Rep. Earl Hilliard and Rep. William Lipinski).

Some of the bills which have been introduced in the Senate include:

• S 573, the Medical Information Privacy and Security Act, sponsored by Sen. Pat Leahy.
• S 881, the Medical Information Protection Act, sponsored by Sen. Bob Bennett.