Privacy protections strengthened in health IT bill

But amended version of legislation also states that a "good faith" data disclosure, like a letter sent to the wrong address, would not constitute a privacy breach.

Sponsors of a House bill aimed at creating a nationwide system of electronic medical records have substantially changed the information-sharing and privacy provisions of their proposal after hearing concerns from stakeholders in the healthcare, high-tech and consumer advocacy arenas in recent weeks.

The legislation, sponsored by House Energy and Commerce Committee Chairman John Dingell, D-Mich., and ranking member Joe Barton, R-Texas, is scheduled for committee markup Wednesday.

The bill was introduced in June and passed the Health Subcommittee by voice vote. The original version required healthcare providers to notify an individual upon unauthorized acquisition, access or disclosure of health information and included a safe harbor for encrypted data.

The amended version of the bill, posted on the committee's Web site Tuesday, states that a "good faith" data disclosure, like a letter sent to the wrong address, would not constitute a breach. It would keep a requirement that providers comply with existing federal rules to restrict the amount of health information disclosed to outside parties to a limited data set, and states that consent may be a one-time, aggregated authorization.

If permission to share information is not granted, a health plan would be barred from using data for purposes other than for which it was disclosed. But the modified consent provision would not take effect until two years after the bill becomes law, and it requires HHS to create "reasonable and workable" implementation rules.

In another revision, health plans and business associates would be barred from selling records without patient permission unless it is necessary for treatment or to receive payment for a patient's treatment. The revised bill also builds on existing federal privacy law to allow for the provision of a free digital copy of an individual's medical record and bolsters marketing language to preclude direct and indirect payment of providers in return for advertising healthcare goods or services to patients without permission. In addition, the reworked language requires the HHS Office of Civil Rights to initiate a formal probe of complaints and allows them to impose fines for violations that rise to the level of willful neglect. Currently, this is done informally and without fines.

Deven McGraw, director of the Center for Democracy and Technology's Health Privacy Project, praised Tuesday the beefed-up enforcement language and other consumer-friendly modifications. McGraw, along with CBO Director Peter Orszag and others, will testify Thursday at a House Ways and Means Health Subcommittee hearing on the topic.

But America's Health Insurance Plans, an industry lobbying group, has condemned the Dingell-Barton bill, in particular its provisions that would let patients track their information and require permission before records are shared. Those proposals would impede the ability of providers to offer wellness programs, disease management, quality assurance and other important functions, a spokesman said Tuesday.