CONGRESSIONAL RECORD  SENATE S15576
October 24, 1995

     By Mr. BENNETT (for himself, Mr. DOLE, Mr. LEAHY, Mrs.
KASSEBAUM, Mr. KENNEDY, Mr. FRIST, Mr. SIMON, Mr. HATCH, Mr.
GREGG, Mr. STEVENS, Mr. JEFFORDS, Mr. KOHL, Mr. DASCHLE, and Mr.
FEINGOLD): S. 1360. A bill to ensure personal privacy with
respect to medical records and health care-related information,
and for other purposes; to the Committee on Labor and Human
Resources.

THE MEDICAL RECORDS CONFIDENTIALITY ACT OF 1995

     Mr. BENNETT. Mr. President, today I am introducing the
Medical Records Confidentiality Act of 1995. This legislation is
one of the many small steps that are needed to reform our health
care system. I am pleased that a number of my Republican and
Democratic colleagues have joined me in cosponsoring this
legislation.


CR S15577

     I can think of few other areas in our lives that are more
personal and private than is our medical history. Each of us has
a relationship with our doctors, nurses, pharmacists, and other
health care professionals that is unique and privileged. They may
know things about us that we choose not to tell our spouses,
children, siblings, parents, or our closest friends. While our
medical records may contain nothing out of the ordinary, to us
these records should be strictly personal.
     S. 1360 aims, first, to provide Americans with greater
control over their medical records in terms of confidentiality,
access, and security, and second, to provide the health care
system with a Federal standard for handling identifiable health
information. 
     Most Americans believe their medical records are protected
in terms of confidentiality under Federal law. Most Americans are
mistaken. Protecting the confidentiality of our medical records
is an expectation that is yet to be guaranteed as a right. This
legislation is an opportunity for Congress to act in a bipartisan
manner to resolve an important problem within our health care
system. Today over 80 percent of our medical records are paper
based; however, in the not too distant future all of our medical
records will be electronic based. 
     In my opinion and in the opinion of a number of outside
groups such as the Center for Democracy and Technology, American
Health Information Management Association, International Business
Machines Corporation, Blue Cross and Blue Shield Association, and
the American Hospital Association, it is time to put into place
the safeguards and security measures needed to protect the
integrity and confidentiality of our medical records. 
     Patients should be assured that the treatment they receive
is a matter between themselves and their doctor, regardless if
it's a yearly physical, psychiatric evaluation, plastic surgery,
or cancer treatment. The majority of patients agree that
treatment and billing are the two appropriate uses of medical
records. This legislation provides patients the right to limit
disclosure of medical records for purposes other than treatment
and billing and requires separate authorization forms for
treatment, billing and other kinds of disclosures. It also
requires providers to keep a record of those to whom they
disclose information. 
     In the hospital, most patients are unaware that their
records are accessible to almost any health care provider walking
into their room or almost any hospital employee with a computer
who can gain access to the hospital's computer system. There are
a number of doctors and nurses who refuse to be treated in the
hospital where they practice medicine because they know that with
a stroke of a keyboard their colleagues will know why they are in
the hospital and know they are being treated.
     One of the most important issues this legislation addresses
is that of access to personal medical records. It is difficult
for most of us to understand that in many instances individuals
may have great difficulty gaining access to their own medical
records. There are no Federal laws regarding access to medical
records and only a few States allow patients the right to review
and copy their medical records. In many instances, if the medical
record is incorrect the patient never has the opportunity to
address those errors. This legislation would allow individuals
not only access to their records but also the opportunity to
address any errors.
     This legislation will enable organizations and entities
involved in providing health care, or who act as contractors or
agents to providers, to abide by one standard for
confidentiality. Our health care system grows more complex and
sophisticated with each year. Having one standard will simplify
the business of health care, reduce the cost of complying with 50
state standards and allow the continuation of research that will
improve the efficiency of our health care system.
     Currently, the only protection of medical records is under
state laws. At this time there are 34 States with 34 different
laws to protect these records. Only 28 States provide patients
with access to their medical records. My own State of Utah does
not have a comprehensive law to protect medical records or
provide access. Given the transient nature of our society and
that fact that more than 50 percent of the population live on a
State boarder, it is vital that we provide a national standard
for the protection of medical records.
     It is unfair to both the patients and the providers of
medical services not to clearly and concisely outline the rights
of the patient and define the standards of disclosure. The effort
to provide Federal protection of medical records has continued
for the last 20 years. Many of the outside groups that have
provided assistance to me and my staff have been involved for
many of these years. Those groups that have provided assistance
include patient right advocates, health care providers,
electronic data services, insurance companies, health
researchers, States, health record managers to name just a few. I
am grateful to them for their assistance and expertise; without
their efforts we would not be here today.
     I want to express my appreciation to the two leaders,
Senators DOLE and DASCHLE for their support as cosponsors. I am
very pleased to have Chairwoman KASSEBAUM and the ranking
minority member, Senator KENNEDY of Labor and Human Resources
Committee as cosponsors. I want to express my appreciation to
Senator LEAHY for his efforts on this legislation. He has been a
supporter of this legislation for a number of years and I
appreciate his cosponsorship I am also pleased to add Senators
HATCH, FRIST, JEFFORDS, STEVENS, GREGG, SIMON, KOHL, and FEINGOLD
as original cosponsors. I hope the Senate will act swiftly to
hold hearings and to move this legislation through the committee
process to the Senate floor for final consideration. I would urge
my colleagues to support this legislation and would welcome their
cosponsorship.
     Mrs. KASSEBAUM. Mr. President, I rise today to join Senator
BENNETT, the distinguished majority leader, Senators HATCH,
KENNEDY, FRIST, LEAHY, SIMON, and others in introducing the
Medical Records Confidentiality Act of 1995.
     We have spent a great deal of time and energy these last
several months  and will spend even more time during the coming
weeks debating changes to the Medicare and Medicaid programs. As
we debate these changes, the private health care system continues
to literally transform itself overnight.
     While health providers still wrestle with multiple paper
forms and bulky files, increasingly health information and data
is digitally transmitted to multiple databases by highspeed
computers over fiber-optic networks. Many Americans believe their
private medical records are safely stored in doctors' offices and
hospitals. Yet, the evolving health care delivery system and the
technological infrastructure necessary to support it has left
gaping holes in the patchwork of current State privacy laws and
threatened the confidentiality of private medical information. 
     Let me give just one example that highlights both the
promise and the peril of medical information. Recent advances
have allowed researchers to identify a growing number of genetic
characteristics that place individuals at higher-than-average
risk for developing disease. While genetic research provides
tremendous opportunities to help us better treat and manage
illness, disclosure of genetic information also may place
individuals at a greater risk of discrimination in obtaining
health coverage for themselves and their families.
     The Medical Records Confidentiality Act takes a balanced
approach to encouraging the continued development of a world-class health information infrastructure while, at the same time,
assuring Americans that their sensitive medical records are
protected. The legislation is designed to provide all patients
with Federal safeguards for their medical records, whether in
paper or electronic form, and to provide doctors, hospitals,
insurance companies, managed care companies, and other entities
that have access to medical records with clear Federal rules
governing when and to whom they may disclose health information. 
     Mr. President, I applaud Senator BENNETT for taking on such
a complex and important issue. I look forward to working with
him, and with my colleagues on the Senate Committee on Labor and
Human Resources, to see

CR S15578

that this very important piece of legislation is enacted during
the 104th Congress.
     Mr. LEAHY. Mr. President, today I join in introducing the
Medical Records Confidentiality Act of 1995, with Senator
BENNETT, our distinguished colleague from Utah.
     For the past several years, I have been engaged in efforts
to make sure that Americans' expectations of privacy for their
medical records are fulfilled. That is the purpose of this bill.
I do not want advancing technology to lead to a loss of personal
privacy and do not want the fear that confidentiality is being
compromised to stifle technological or scientific development.
     The distinguished Republican majority leader put his finger
on this problem last year when he remarked that a compromise of
privacy that sends information about health and treatment to a
national data bank without a person's approval would be something
that none of us would accept. We should proceed without further
delay to enact meaningful protection for our medical records and
personal and confidential health care information.
     I have long felt that health care reform will only be
supported by the American people if they are assured that the
personal privacy of their health care information is protected.
Indeed, without confidence that one's personal privacy will be
protected, many will be discouraged from seeking help from our
health care system or taking advantage of the accessibility that
we are working so hard to protect.
     The American public cares deeply about protecting their
privacy. This has been demonstrated recently in the American
Civil Liberties Union Foundation's benchmark survey on privacy
entitled   Live and Let Live'' wherein three out of four people
expressed particular concern about computerized medical records
held in databases used without the individual's consent. A public
opinion poll sponsored by Equifax and conducted by Louis Harris
indicated that 85 percent of those surveyed agreed that
protecting the confidentiality of medical records is extremely
important in national health care reform. I can assure you that
if that poll had been taken in Vermont, it would have come in at
100 percent or close to it.
     Two years ago, I began a series of hearings before the
Technology and the Law Subcommittee of the Judiciary Committee. I
explored the emerging smart card technology and opportunities
being presented to deliver better and more efficient health care
services, especially in rural areas. Technology can expedite care
in medical emergencies and eliminate paperwork burdens. But it
will only be accepted if it is used in a secure system protecting
confidentiality of sensitive medical conditions and personal
privacy. Fortunately, improved technology offers the promise of
security and confidentiality and can allow levels of access
limited to information necessary to the function of the person in
the health care treatment and payment system.
     In January 1994, we continued our hearings before that
Judiciary Subcommittee and heard testimony from the Clinton
administration, health care providers and privacy advocates about
the need to improve upon privacy protections for medical records
and personal health care information.
     In testimony I found among the most moving I have
experienced in more than 20 years in the Senate, the subcommittee
heard first hand from Representative Nydia Vela  zquez, our House
colleague who had sensitive medical information leaked about her.
She and her parents woke up to find disclosure of her attempted
suicide smeared across the front pages of the New York tabloids.
If any of us have reason to doubt how hurtful a loss of medical
privacy can be, we need only talk to our House colleague.
     Unfortunately, this is not the only horrific story of a loss
of personal privacy. I have talked with the widow of Arthur Ashe
about her family's trauma when her husband was forced to confirm
publicly that he carried the AIDS virus and how the family had to
live its ordeal in the glare of the media spotlight.
     We have also heard testimony from Jeffrey Rothfeder who
described in his book   Privacy for Sale'' how a freelance artist
was denied health coverage by a number of insurance companies
because someone had erroneously written in his health records
that he was HIV-positive.
     The unauthorized disclosure and mis-use of personal medical
information have affected insurance coverage, employment
opportunities, credit, reputation, and a host of services for
thousands of Americans. Let us not miss this opportunity to set
the matter right through comprehensive Federal privacy protection
legislation.
     As I began focusing on privacy and security needs, I was
shocked to learn how catch-as-catch-can is the patch-work of
State laws protecting privacy of personally identifiable medical
records. A few years ago we passed legislation protecting records
of our videotape rentals, but we have yet to provide even that
level of privacy protection for our personal and sensitive health
care data.
     Just yesterday the Commerce Department released a report on
Privacy and the NII. In addition to financial and other
information discussed in that report, there is nothing more
personal than our health care information. We must act to apply
the principles of notice and consent to this sensitive, personal
information.
     Now is the time to accept the challenge and legislate so
that the American people can have some assurance that their
medical histories will not be the subject of public curiosity,
commercial advantage or harmful disclosure. There can be no doubt
that the increased computerization of medical information has
raised the stakes in privacy protection, but my concern is not
limited to electronic files.
     As policymakers, we must remember that the right to privacy
is one of our most cherished freedoms it is the right to be left
alone and to choose what we will reveal of ourselves and what we
will keep from others. Privacy is not a partisan issue and should
not be made a political issue. It is too important.
     I am encouraged by the fact that the Clinton administration
clearly understands that health security must include assurances
that personal health information will be kept private,
confidential and secure from unauthorized disclosure. Early on
the administration's health care reform proposals provided that
privacy and security guidelines would be required for
computerized medical records. The administration's Privacy
Working Group of its NII task force has been concerned with the
formulation of principles to protect our privacy. In these
regards, the President is to be commended.
     The difficulties I had with the initial provisions of the
Health Security Act, were the delay in Congress' consideration of
comprehensive privacy legislation for several more years and the
lack of a criminal penalty for unauthorized disclosure of
someone's medical records.
     Accordingly, back in May 1994, I introduced a bill to
provide a comprehensive framework for protecting the privacy of
our medical records from the outset rather than on a delayed
basis. That bill was the Health Care Privacy Protection Act of
1994, S. 2129. I was delighted to receive support from a number
of diverse quarters. We were able to incorporate provisions drawn
from last year's Health Care Privacy Protection bill into those
reported by the Labor and Human Resources Committee and the
Finance Committee. These provisions were, likewise, incorporated
in Senator DOLE's bill and Senator Mitchell's bills, indicating
that the leadership in both parties acknowledges the fundamental
importance of privacy.
     Although Congress failed in its attempt to enact meaningful
health care reform last Congress, we can and should proceed with
privacy protection  whether or not a comprehensive health care
reform package is resurrected this year. I am proud to say that
the Medical Records Confidentiality Act that Senator BENNETT and
I are introducing today, derives from the work we have been doing
over the last several years. I am delighted to have contributed
to this measure and look forward to our bipartisan coalition
working for enactment of these important privacy protections.
     Our bill establishes in law the principle that a person's
health information is to be protected and to be kept
confidential. It creates both criminal

CR S15579

and civil remedies for invasions of privacy for a person's health
care information and medical records and administrative remedies,
such as debarment for health care providers who abuse others'
privacy.
     This legislation would provide patients with a comprehensive
set of rights of inspection and an opportunity to correct their
own records, as well as information accounting for disclosures of
those records.
     The bill creates a set of rules and norms to govern the
disclosure of personal health information and narrows the sharing
of personal details within the health care system to the minimum
necessary to provide care, allow for payment and to facilitate
effective oversight. Special attention is paid to emergency
medical situations, public health requirements, and research.
     We have sought to accommodate legitimate oversight concerns
so that we do not create unnecessary impediments to health care
fraud investigations. Effective health care oversight is
essential if our health care system is to function and fulfill
its intended goals. Otherwise, we risk establishing a publicly
sanctioned playground for the unscrupulous. Health care is too
important a public investment to be the subject of undetected
fraud or abuse.
     I look forward to working with my colleagues both here in
the Senate and in the House as we continue to refine this
legislation. I want to thank all of those who have been working
with us on the issue of health information privacy and, in
particular, wish to commend the Vermont Health Information
Consortium, the Center for Democracy and Technology, the American
Health Information Management Association, the American
Association of Retired Persons, the AIDS Action Council, the
Bazelon Center for Mental Health Law, the Legal Action Center,
IBM Corp. and the Blue Cross and Blue Shield Association for
their tireless efforts in working to achieve a significant
consensus on this important matter.
     With Senator BENNETT's leadership and the longstanding
commitment to personal privacy shared by Chairman KASSEBAUM and
Senator KENNEDY, I have every confidence that the Senate will
proceed to pass strong privacy protection for medical records.
With continuing help from the administration, health care
providers and privacy advocates we can enact provisions to
protect the privacy of the medical records of the American people
and make this part of health care security a reality for all
Americans.