Lobbyists for the health industry are close to a victory over consumer groups in a dispute about when patients should be told their digital medical records have been lost, stolen or mishandled.
The tug-of-war over a little-known federal privacy rule--which has drawn in Congress, regulators and an array of interest groups--highlights the behind-the-scenes activity touched off by the government's effort to spend some $45 billion in economic stimulus funds to push medical data online. Federal regulators are working against tight deadlines to write all kinds of rules governing the digital system, one that the Obama administration hopes most health care providers will adopt in the next five years.
As with many Washington initiatives, the way the rules are written may have more of an effect on consumers than the original law passed by Congress.
One of the most contentious questions so far is when--and how--health care providers will have to notify patients if their privacy is breached.
Some lawmakers, consumer groups and industry analysts argue that hospitals and insurance companies should be required to let patients know about any unauthorized disclosure of their health data. However, under a provisional rule released by regulators from the Department of Health and Human Services, a health care provider only would have to notify patients if the provider determines the breach "poses a significant risk of financial, reputational, or other harm to the individual.''
Officials from the hospital and insurance industries have long contended that it is unnecessary to notify patients of every routine error in handling data--sending a billing statement to the wrong address, for example. Such a requirement, they say, not only would be costly but also would overwhelm consumers and make them less likely to notice when a real problem occurred.
"We thought it was important... to make sure that they are being notified for something where there is truly a risk," said Joel Slackman, managing director of policy with the Blue Cross Blue Shield Association.
But some do not believe the definition of harm should be left for the hospitals or insurers to interpret. "It's sort of like letting the fox guard the hen house," said Paul Cotton, a lobbyist for the AARP who works on health information technology issues.
Questions about how government should monitor and regulate the security of digitized personal data have been brewing for years in Washington and in state capitals. California first advanced the idea that consumers should be told when their data is mishandled, passing a law in 2003 requiring notification whenever protected information got into unauthorized hands.
Few people took notice until 2005 when ChoicePoint, a Georgia-based data-collecting company, was forced to notify tens of thousands of Californians that their files had been accessed by unauthorized users who might have been identity thieves. No other state had a similar requirement, so initially ChoicePoint refused to notify people elsewhere, sparking outrage from many consumers and government officials.
Soon, other states followed California's lead and enacted similar laws. But few specifically apply to health data and the majority only require notification if companies determine there may be some harm as a result of the breach.
Earlier this year, when the Obama administration began crafting its stimulus bill, industry lobbyists called for a harm standard but did not get specific language into the bill.
In April, the regulators began looking at how to create a rule that would make the breach law work in practice, inviting public comment. Some groups took the public comment period as a chance to influence regulators to require notification only in cases of clear harm.
"Future regulations or guidance should use a 'harm standard' when evaluating whether a breach of protected health information has actually occurred," wrote a representative from America's Health Insurance Plans, the insurance industry's main lobbying group.
The American Hospital Association urged regulators to make federal rules fit with less-stringent state measures "so that federal notice is not required when notice under state law is not required."
Regulators agreed. In August, they included a harm standard in their provisional rule. They have up to a year to decide whether to make any changes to the rule based on the public comments they received.
But a group of six House members, five of whom are the top members on the key committees that wrote the legislation and include one Republican, were angered when they saw the provisional rule. In an October letter to federal health officials, the legislators wrote that they had "ultimately decided against inclusion of a harm standard" in favor of one "that has a black and white standard for notification" because that "makes implementation and enforcement simpler."
The breach rule is one of many critical regulations being written for the new system of online medical records. Some others deal with equally vexing privacy questions, such as how companies will be able to use medical data for marketing and research as well as how government officials should penalize companies for breaking the rules.
Balancing privacy with so many competing interests is daunting, said Dixie Baker, who chairs a working group on privacy and security that is advising the new Office of the National Coordinator. The office was established by the stimulus bill to lead the effort to digitize medical records.
"All privacy is always a value judgment and how well your privacy is protected is always an individual decision," said Baker. "Privacy is the most personal value we have."
But privacy is only one of many topics being addressed by the Office of National Coordinator, which is headed by Harvard Medical School professor David Blumenthal. One of the most closely watched issues is the standard that doctors and hospitals will have to meet to receive tens of thousands of dollars in federal reimbursement for going electronic. The first draft of that rule must be released by the end of the year.
"It's like drinking from a fire hose," said Eva Powell, director of the Health Information Technology Project with the National Partnership for Women and Families. And if the rules are not handled well, she said, "it will not only be a waste of opportunity but of an awful lot of money."