The Digital Age and Data Privacy
Buchalter, Alice, Waisanen, Bert, Government Finance Review
As the 106th Congress moves through its shortened election-year session of challenging policy topics, a number of information privacy issues, prompted by advances in technology, have emerged as legislative proposals.
One indicator of the level of congressional interest in privacy issues is the amount of legislation pending in the Congress. According to the Library of Congress on-line database, there are dozens of bills addressing privacy of financial and other information in the 106th Congress, with almost 50 of them highlighting a privacy issue in the bill title.
Another development indicating ongoing congressional interest is the recent establishment of a Congressional Privacy Caucus, which is an informal network of interested senators and representatives. Their guiding principles call for clear notice to individuals when firms or government agencies collect or disclose personally identifiable information, individual access to that information and consent regarding its use for other purposes than originally provided, and protection of stronger state privacy laws from federal preemption.
Medical Records Privacy
In 1996, Congress enacted legislation (the Health Insurance Portability and Accountability Act, Public Law 104-191) requiring that if medical record privacy legislation was not enacted in three years (by August 21, 1999), the Department of Health and Human Services (HHS) was required to implement regulations within the following six months. The regulations were to cover only electronically maintained or transferred medical information. During that three-year period, Congress wrestled with numerous bills, never able to reach a consensus among medical providers, insurers, and privacy advocates. Absent the enactment of legislation, in October 1999 the Clinton administration released comprehensive regulations establishing privacy protections for electronically transmitted health information.
The proposed rules represent the first federal effort to protect the privacy of medical records and are designed to greatly limit the release of private health information without patient consent. The regulations are applicable to electronic medical records created by health care providers, health plans, and health care clearinghouses. Under these regulations, health information can be disclosed and used without patient consent only when necessary for medical treatment; the payment of claims; and certain "health care operations," including developing clinical guidelines and assessing quality of care. The regulations grant patients the right to inspect, obtain copies of, and request corrections to their medical records. State laws that provide less stringent protections, with specified exceptions for certain public health functions, would be preempted.
HHS initially set January 3, 2000, as the deadline for comments. On December 15, 1999, a notice was published extending the comment period an additional 45 days, stating that the "scope of the rule, the significant implications for the health care system, and the substantial public interest necessitated allowing more time for "more informative comments." In fact, major health care and consumer groups had argued for an extension, citing the technical complexity of the issue. HHS is currently reviewing more than 50,000 comment letters and e-mails, and has assigned 70 employees to summarize comments dealing with more than 100 separate issues. Given the enormity of this task, HHS will not set a target date for publication of a final rule. …