The Health Information Technology Promotion Act Could Undermine Patient Privacy
By Government Relations
February 28, 2006 Psychologists are concerned that the Health Information Technology Promotion Act (H.R. 4157), proposed by Representative Nancy Johnson, could weaken the privacy of patient records afforded through the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and State laws.
Psychologists support promotion of health IT, but patient privacy must be promoted at the same time. Health information technology (health IT) — the use of computers and computer programs to store, protect, retrieve, and transfer patient information electronically within the healthcare system — should be explored to improve the quality, safety, and effectiveness of patient care. A central goal of health IT is that patient records will be electronically accessible as needed throughout the healthcare system. The privacy of patient records, however, should not be sacrificed in the development of a national system of electronic patient records. Rather, privacy should be a cornerstone in health IT development.
H.R. 4157 could undermine patient privacy for health IT expediency. H.R. 4157 proposes some good initiatives to promote health IT, including the appointment of a national health IT coordinator and promoting technology and training services for health care professionals. While these are good ideas, the bill would also allow the Secretary of Health and Human Services to revisit the HIPAA Privacy Rule to write new privacy standards in light of health IT. Worse, since the Privacy Rule provides only a floor of privacy protection — preserving from federal preemption State laws that are more protective of patient privacy — H.R. 4157 could preempt these stronger State laws. The bill does require that the Secretary study the strengths and weaknesses of State laws and the Privacy Rule standards and determine whether the Privacy Rule should be revised. It also allows time for Congressional action, however H.R. 4157 does not guarantee that privacy will be paramount in the rules rewrite.
Mental health records need heightened privacy protections. Mental health records are particularly vulnerable to disclosure, because they typically contain information that could lead to a patient’s embarrassment or stigmatization. For these patients, even the potential loss of records’ privacy could be devastating. The patient and psychologist or other psychotherapist must maintain control over the release of these records into the healthcare system since, as the U.S. Supreme Court recognizes in Jaffee v. Redmond, their relationship is “rooted in the imperative need for confidentiality and trust” and that the “mere possibility” of disclosure could impede the development of a confidential relationship necessary for successful treatment.
H. R. 4157 could take away heightened mental health protections now in the law. Due to the particular sensitivity of mental health records, persons seeking and receiving mental health treatment have greater privacy needs than those individuals receiving general health services. This heightened need is recognized in special mental health records' protections in the HIPAA Privacy Rule and many State laws that provide additional mental health records’ protections.
These protections include—
• The Privacy Rule’s patient authorization requirement for release of psychotherapy notes for purposes beyond the treating psychologist or other psychotherapist relationship.
• All 50 States and the District of Columbia require patient consent, if not authorization, for some of the most common releases of mental health records where the Privacy Rule would allow release without patient permission. This affords the patient an important degree of protection for sensitive records. Connecticut, for example, has a very protective law, where a psychologist or other provider must obtain consent for any release of protected information, except in narrow circumstances.
• California, DC, Illinois, Indiana, Iowa, Maine, Maryland, Montana, Washington and Wisconsin have laws that go beyond consent to require specific patient authorization for release of records in various circumstances.
• Some States have enacted laws that are highly protective of mental health records. For example, New Jersey strictly limits the information that an insurer may request about a psychologist's patient for the insurer's reimbursement purposes and only with patient authorization. In California an outside party seeking information about outpatient psychotherapy must seek permission directly from the patient and mental health professional, provide an explanation of intended use, and provide assurances about maintaining the privacy of the information.
Psychologists are deeply concerned that H.R. 4157 could potentially weaken or preempt all of these patient privacy protections without providing a strong federal standard. Instead, Congress should enact legislation that ensures that patient privacy is protected in legislation that fosters the development of health IT.
The Wired for Health Care Quality Act (S. 1418), proposed by Senator Michael Enzi, offers sound ideas to promote health IT while specifically preserving patient records' privacy. These include appointing a national coordinator and a private-public collaborative body to promote health IT, and providing grants and fostering voluntary adoption of health IT in the healthcare system. Ensuring patient privacy is a specific goal of these initiatives. In fact, S. 1418 specifically preserves the state laws that H.R. 4157 would preempt.
