Millions of people may have had their privacy compromised on a downtown San Antonio street in September. Data tapes that hold health information for about 4.9 million people who received treatment or had their tests processed at military facilities in Texas were stolen from a car belonging to an employee of a government contractor.
That theft is one of more than 370 major medical-information breaches posted on the U.S. Department of Health and Human Services (HHS) Web site since 2009, spotlighting the potential problems presented by electronic records that are intended to improve the health care system by making more information available at a faster speed. The breaches involve health information stored on computer networks and devices that include laptops and memory cards, as well as paper and X-ray records.
With the potential for millions of medical records to be accessed with the click of a mouse, the Obama administration is looking to give patients the ability to see who is viewing their records. An HHS rule proposed this year would let patients obtain reports that would contain information about who accessed their electronic medical records in the past three years.
The Healthcare Leadership Council, a group of health care company chief executives from hospitals, health plans and other businesses, has lined up against the rule. Through its Confidentiality Coalition, which includes almost 100 health care companies and organizations, the Council is urging HHS to withdraw the proposed rule. The president of the Council wrote an Aug. 1 letter to HHS in which she said the department created a new “privacy right” with little justification.
If implemented as written, Council President Mary Grealy wrote, the regulation “will require dramatic and expensive new systems, with enormous financial and manpower consequences — for an exceedingly limited and untargeted patient interest. These technology and financial resources will, of necessity, result in the diversion of resources away from patient care. This is a balance that generally makes no sense, but especially not in our overburdened healthcare environment.”
Two of the Coalition members are CVS Caremark Corp. and WellPoint Inc., the parent company of Anthem Blue Cross Blue Shield, which provides insurance plans in 11 states. According to congressional records, Anthem paid McGuireWoods Consulting $85,000 and CVS gave Alston & Bird $60,000 for advocacy work done during the first three quarters of this year on medical records and other health care issues.
A WellPoint spokeswoman directed questions about Anthem’s lobbying on medical records to Healthcare Leadership Council’s senior vice president for policy, Tina Grande, who referred the inquiries to Council Executive Vice President Michael Freeman. Freeman didn’t respond to requests for comment. A CVS representative didn’t have an immediate comment on the pharmacy’s advocacy work on the issue.
Medical records privacy also is in the cross hairs of Congress.
Sen. Al Franken (D-Minn.), chairman of the Senate Judiciary Committee’s privacy, technology and the law subcommittee, held a hearing last month to explore the protection of health information. Franken said in remarks prepared for the hearing that electronic records are a “wonderful technology,” but present “very real and very serious privacy challenges.
“I believe all Americans have a fundamental right to know who has their personal information — and to control who gets that information and who it is shared with,” Franken said. “I also think that our fundamental right to privacy includes the right to know that our sensitive information — wherever it is — is safe and secure. And unfortunately, breach after breach of health data has shown us that when it comes to health information, our right to privacy is not being protected.”
James Pyles, a Powers Pyles Sutter & Verville co-founder who lobbies for the American Psychoanalytic Association, said privacy breaches erode the confidence people have in the medical community, erecting barriers between patients and doctors. In the case of his client, Pyles said, psychoanalysts can’t do their job without privacy for patients. “The number one priority should be: How do we preserve the patient’s trust?” he said.
Franken hasn’t introduced legislation this Congress regarding the protection of medical information, but he is a co-sponsor of a couple of bills that broadly address data security.
The Personal Data Privacy and Security Act is one of those measures. The legislation, which is sponsored by Senate Judiciary Chairman Patrick Leahy (D-Vt.), would create standards on how businesses — but not members of the health care community — establish safeguards to protect personal information and notify individuals whose privacy has been breached. The bill also would put in place tougher penalties for individuals who deliberately cover up data breaches, including intrusions into public health information. The House also has bills that concern data protection in a global sense. But none of the measures has received votes in committee.
Stephanie Kennan, who lobbied for CVS and other health care industry clients before leaving Alston & Bird this fall to join McGuireWoods Consulting as a senior vice president, said health care companies are concerned about rules from the pending data-security measures that may compete with existing health-privacy laws. Without a single set of rules, companies would have challenges training employees and could face multiple punishments for one infraction, she said.
“I think one of the things that gets lost in this conversation is companies have to put in place safeguards,” Kennan said.
Congress has tackled health information privacy in a few major bills over the past 15 years.
In 1996, Congress approved the Health Insurance Portability and Accountability Act, or HIPAA, which established standards for health data protection and prohibited health care providers and insurers from disclosing patient information to some third parties without the individual’s permission. Then, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act as part of the American Recovery and Reinvestment Act, which made those standards applicable to contractors and ordered health care providers and insurers to let individuals know when their privacy has been breached.
A year later, Congress approved the Patient Protection and Affordable Care Act, President Barack Obama’s sweeping health care legislation, which authorized HHS to create rules for the electronic transmission of health care financial and administrative transactions and requires health plans to certify that they are complying with operating rules and standards for their data by 2013.
The Obama administration now is using monetary incentives to encourage the use of electronic medical records. But by 2015, health care providers who don’t use them will receive less Medicare funding.
Sen. Tom Coburn (R-Okla.), the top Republican on the Senate Judiciary privacy, technology and the law subcommittee, said at Franken’s hearing that mandating electronic health records is expensive and might be a fruitless exercise. The senator is a physician, specializing in family medicine, allergy treatments and obstetrics. “I have a real concern both on the privacy issue, but also the goal we’re trying to accomplish might not be accomplishable,” Coburn said. “There are always going to be people that go around.”
Andrew Ramonas can be contacted at firstname.lastname@example.org.