Uniform privacy rules are debated

Privacy RFP, Office of the National Coordinator for Health IT

A long-running debate over protecting the privacy of health information made an appearance at a House Ways and Means Committee subcommittee hearing Wednesday.

On one side, privacy advocates disparage the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as weak and outdated. They support states' right to adopt more stringent privacy laws, rules and policies.

On the other side, advocates of national health information exchanges and electronic medical records decry the mishmash of state laws and say it will be nearly impossible to have a national system without laws and rules that are uniform nationwide. They want Congress to override the state privacy rules that are tougher than HIPAA rules.

Representing the privacy advocates’ side of the argument Wednesday was Joy Pritts, a lawyer and assistant research professor in Georgetown University’s Health Policy Institute. She specializes in HIPAA and related health privacy issues.

HIPAA “was designed as a minimum set of standards from the outset,” she told the subcommittee members. “Where we should not end up is relying on the HIPAA privacy law as it is written now.”

Although Pritts supports states’ enactment of higher levels of privacy protection, she also called on Congress to strengthen the federal rules. Referring to a recent Justice Department ruling that bars under HIPAA the prosecution of individuals who disclose patients’ health information to unauthorized persons, she emphasized the need to expand the kinds of organizations and individuals that HIPAA forbids to make such disclosures.

“Large volumes of identifiable health information [are] vulnerable to improper access and disclosure without any real remedies,” she testified. "Forming a national health information infrastructure without adequate federal privacy protections threatens not only the privacy of patients but also the very viability of such a system.”

Taking the side of federal pre-emption was Mary Grealy, president of the Healthcare Leadership Council, an organization of health industry executives. Complying with the patchwork of state laws “in the context of HIPAA implementation…has been extremely difficult,” she said. “In the context of a [National Health Information Network], it is potentially impossible.”

Grealy added that “a NHIN that is constrained by various state authorization or consent requirements will provide only a fraction of the speed and efficiency necessary to improve patient outcomes.”

Dr. Don Detmer, president and CEO of the American Medical Informatics Association, agreed with Grealy. “I doubt that we can get to the common standards and interoperability that must underlie the widespread adoption of electronic health records without federal pre-emption of conflicting state laws,” he said. Detmer added that more comprehensive national privacy standards than the HIPAA rules are needed.

The Office of the National Coordinator for Health Information Technology has solicited proposals from would-be contractors who will develop plans to address variations in organization-level business policies and state laws that affect privacy and security practices, including those related to HIPAA, which may pose challenges to interoperable health information exchange.

Rep. Nancy Johnson (R-Conn.), chairwoman of the subcommittee, said she agreed that a uniform national rule is needed, but predicted that it will be a multiyear process to resolve the differences among the factions on this issue.