So How Many Health Care Privacy Laws Do We Need?

Posted by Tom Jeffry

Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693].  Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.  

The proposed amendment uses language familiar to those of you who have read HIPAA.  Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different.  For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers.  The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers.

When HIPAA was being considered by Congress, the debate over the appropriate level of privacy protections threatened to derail the legislation.  The solution then was to punt the process of establishing privacy and security standards for health care to the administrative rulemaking process of the Department of Health and Human Services.  Deja vu . . . with the introduction of this amendment we are back to privacy concerns threatening legislation that has bi-partisan support to advance health care technology and potentially improve the quality and efficiency of the delivery of health care.  

Of course, there is no requirement that the federal laws and regulations of our nation be consistent, avoid duplication, or otherwise articulate a uniform policy or approach.  As a lawyer, I suppose I should be grateful for that.  Nevertheless, rather than appending the bill intended to develop health information networks with privacy provisions that duplicate and/or contradict the HIPAA regulations, the more rational approach would be to address privacy concerns in an amendment to HIPAA and extend the application of HIPAA to health information networks.  

There are some privacy provisions unique to the concerns of information available and shared through a health information network that are appropriate to retain in the legislation and proposed amendment.  Mandatory notification of security breaches to the network and opt-out rights are specific privacy and security safeguards for the storage and exchange of electronic health records in such networks and addressed in the S. 1693 proposed amendment.