APA Cites Privacy Worries in Health Technology Bill

Legislation to advance the shared goal of Congress and President Bush to establish a national health information technology (HIT) infrastructure within 10 years has raised objections from APA and other mental health organizations.

APA has opposed the Wired for Health Care Quality Act (S 1693) over concerns it would provide inadequate security and privacy protections for patients. The bill is sponsored by Sen. Edward Kennedy (D-Mass.) and had 12 cosponsors at press time. Similar legislation (HR 3800) was introduced in early October in the House by Rep. Anna Eschoo (D-Calif.) but has not yet advanced.

“Carefully structured HIT development has the potential to raise the overall quality of care provided to patients, inform health professionals of the latest standards of care, and improve efficiency in electronic communication of important health care information,” the Mental Health Liaison Group, which includes APA, wrote in a letter to the bill's sponsors.“ But the potential of health information technology can only be realized if health information privacy and security are keystones to such development.”

The Senate bill, approved by the Health, Education, Labor, and Pensions Committee on August 1, would require government purchases of HIT to meet basic standards on information exchange. A panel of government and private-sector stakeholders—including a representative of patient or privacy advocacy groups—would recommend the standards. A total of $278 million would be authorized for Fiscal 2008 and 2009 for competitive matching grants to regional and local HIT networks. The regional networks created under the legislation would unite insurers, doctors, hospitals, and other health care providers into a single HIT network that can share information. The grants would be available for five years.

The measure is similar to two separate bills passed by both the House and Senate in the previous Congress, but differences in the two bills were never resolved.

Kennedy said that $140 billion would be saved annually through expanded HIT use. Those savings could cut the cost of a family's health insurance by over $700 a year.

Privacy advocates, including APA, raised concerns that digitizing health records would leave patients open to violations of their privacy rights and identity theft. The legislation would bring HIT databases under the protections of an existing patient privacy law (PL 104-191). However, further patient protections are needed, according to APA.

Additional provisions sought by APA include an acknowledgement of patients' right to health information privacy, inclusion of a right of consent for the disclosure of identifiable information in routine situations, requirement to notify patients when their privacy is breached, and strong enforcement measures for violations of privacy.

Also needed is continuous congressional involvement and approval of any recommendations developed by the Office of the National Coordinator of Health Information Technology or any public-private partnerships APA said.

“The many privacy breaches of electronic health information systems that have occurred over the past two years underscore the merit of ensuring that strong privacy protections be included in HIT legislation in order to preserve the patient's and the public's trust and confidence in the health delivery system,” according to the letter.

The Senate bill's progress was slowed by privacy advocates in the Senate, including Sen. Patrick Leahy (D-Vt.), who introduced an alternate HIT bill (S 1814). The Leahy bill includes many of the provisions APA sought in the Kennedy bill, including the right of all individuals to inspect and copy their own health records and to receive notice of the privacy practices of data brokers and others who store this information in electronic databases. The bill also prohibits the disclosure or use of health information without a patient's authorization and requires patient notification of a health information security breach within 15 days of discovery of the breach.

The bill also contains criminal and civil penalties for illegal disclosure of HIT records and for companies that do not take adequate care in safeguarding them.

The text of S 1693 is posted at<www.psych.org/members/advocacy_policy/leg_issues/S1693.pdf>, and the text of S 1814 is posted at<www.psych.org/members/advocacy_policy/leg_issues/S1814.pdf>.▪