House Energy and Commerce Chairman John Dingell and ranking member Joe Barton plan to introduce legislation on Tuesday aimed at accelerating the nationwide adoption of electronic medical records.
Comment on this article in The Forum.Their bill, which incorporates language from several other measures, comes a month after they unveiled a discussion draft that generated a torrent of comments from the healthcare, high-tech and consumer advocacy communities.
Energy and Commerce Health Subcommittee Chairman Frank Pallone, D-N.J., held a preliminary hearing on the topic this month where members heard a variety of viewpoints, many of which emphasized patient privacy concerns.
To address those fears, the bill clarifies the definition of a security "breach" and adopts California's model of breach notification, which goes beyond existing federal privacy law to require that patients be alerted about the exposure of any unencrypted health information.
The legislation would give HHS the power to approve technologies that are equally or more effective than encryption and, rather than requiring notification within 15 days of a breach, calls for an alert "without unreasonable delay" or within 60 days, whichever is first.
The bill also calls for HHS to publish a list of entities that experience breaches affecting more than 1,000 people and requires that healthcare providers get patient consent before sharing medical records with other entities.
It would strengthen the enforcement of privacy requirements in the 1996 Health Insurance Portability and Accountability Act by clarifying that criminal penalties can be applied to an individual who improperly obtains records.
That modification is intended to address an opinion issued by the Justice Department's Office of Legal Counsel that has prevented federal prosecutors from charging individuals criminally for disclosing health information unless the defendant is a "covered entity" like a healthcare provider.
"Although shifting from paper to electronic health records would greatly benefit patients and healthcare providers, we currently lack the infrastructure to make this much-needed transition work," Dingell said in a Monday statement.
"The provisions included in this bipartisan proposal will encourage faster adoption of health information technology while also ensuring that patients' health information is protected," he added.
Barton called the bill, similar to one introduced by Senate Health, Education, Labor and Pensions Chairman Edward Kennedy and ranking member Michael Enzi, a "fine beginning" to encourage health IT expansion.
Barton said the importance of the measure's privacy provisions were brought home when some of his own medical records were lost when a laptop was taken from the trunk of a National Institutes of Health employee's car.
The legislation reflects "how people expect their most sensitive and personal information to be properly handled by their healthcare providers in the digital age," he said.
A spokeswoman for Rep. Mike Rogers, R-Mich. -- who introduced a health IT bill with Rep. Anna Eshoo, D-Calif., in October -- said her boss is pleased that some of their language was included in the Dingell-Barton measure.
But she said Rogers is worried that some provisions "might put limitations on the ability of healthcare providers to implement a smooth system that works well and still protects the security of the information." He plans to further articulate those concerns at Wednesday's markup of the legislation in Pallone's panel.
But others, like Patient Privacy Rights founder Deborah Peel, are not impressed.
"In a word, 'no.' We still don't have a common sense definition of privacy," said Peel, who testified at the subcommittee hearing.
She said the legislation is almost identical to the draft and "would never fly with the public." She said the bill "needs to end the 'commodification' of health information because nobody should be able to use, sell, trade or disclose your electronic health records without your permission."