Mass confusion has forced Hawaii lawmakers in the 2001 legislative session to put a medical records privacy law on hold and convene a special task force to review the law and recommend changes. The task force’s report was expected by July 1.
In 1999, the state legislature had passed “The Privacy of Health Information Act,” a medical records law mandating that medical information could be exchanged without patient permission only among doctors, hospitals, and health insurance companies. Others seeking private medical information must first obtain a signed release from the patient. The legislation provides civil and criminal penalties for violations.
However well-intentioned, the law has presented a compliance nightmare for organizations and individuals handling medical records.
State-Federal Conflict
One issue here is the conflict between state law and the July 1 effective date of a new federal law, the Gramm-Leach-Bliley Act. Many Hawaii legislators have called for repeal of the state-specific law, saying the federal measure offered better protection for the confidentiality of medical data contained in records.
The Gramm-Leach-Bliley Act, primarily a banking bill, sets standards for handling all private information. Title V of the act requires development and disclosure by all financial institutions of privacy policies governing the sharing of non-public personal information with affiliates and third parties. Specifically, the measure
- requires consumers receive notice of their right to “opt-out” of sharing of non-public personal information with nonaffiliated third parties; only certain limited exceptions are allowed.
- clarifies that the disclosure of a financial institution’s privacy policy is required to take place at the time of establishing a customer relationship, and then not less than annually during the relationship.
- extends the time period for completion of a study on financial institutions’ information-sharing practices from 6 to 18 months from date of enactment.
- requires that regulators issue rules for the disclosure of institutions’ privacy policies within six months of the date of the bill’s enactment. The rules become effective six months after they are issued, unless the regulators specify a later date.
- assigns authority for enforcing the subtitle’s provisions to the Federal Trade Commission and the federal banking agencies, the National Credit Union Administration, and the Securities and Exchange Commission, according to their respective jurisdictions, and provides for enforcement of the subtitle by the states.
Too Big a Hurry
The Hawaii measure has presented problems in part because the legislature was in too great a hurry to adopt it. Hoping to guarantee more protection for patients than had been available before the measure was passed, lawmakers instead produced a confusing and difficult-to-implement patchwork of differing laws.
According to George Bussey, medical director for Queen’s Health Plans and a member of the task force charged with reviewing the Hawaii law, the state legislators were not given an opportunity to review the federal law before it was passed, and thus had no chance to evaluate how federal law would impact state law. A similar difficulty may arise when the Bush administration considers changes to HIPAA privacy regulations set for implementation in 2002.
To cope with the confusion caused by the 1999 law, several bills were introduced in the current Hawaii legislative session. House Bill 362, which requires the state insurance commissioner to adopt the regulations set forth in the Gramm-Leach-Bliley Act, was unanimously approved . . . but it remains far from clear just what rules will be adopted and who will enforce them.
Hawaii Not Alone
“States continue to enact privacy legislation that is either in conflict with or more stringent than the federal regulation,” notes Representative Jim Greenwood (R-Pennsylvania) in the March 2001 issue of Roll Call.
Like Hawaii, efforts at privacy legislation in California, Maine, and Minnesota offer examples of the potential harm resulting from a rush to protect privacy.
A modified Minnesota privacy law prevented the Mayo Clinic, the country’s most prestigious medical institution, from conducting life-saving research. Minnesota’s law required specific authorization for the use of medical data needed to conduct medical outcomes studies. It took Mayo years and millions of dollars to adapt its systems and processes to the changed regulatory environment.
Follow the Money
For the Hawaii Medical Service Association (HMSA), the state’s largest insurance company, the jury is still out on how the state health privacy bill, the Gramm-Leach-Bliley Act, and HIPAA will mesh and ultimately affect the company. One thing is certain: Compliance will cost a lot of money.
Cliff Cisco, HMSA vice president, told Pacific Business News, “The company has spent a nominal amount on costs related to implementation of the state’s privacy law, mostly related to communication. But far more worrisome for the company is how much the federal law will eventually cost to implement. We have rough numbers, but it will be significant.”
Richard Meiers, president of the Healthcare Association of Hawaii, estimates privacy implementation measures could cost more than Y2K conversion measures did. Meiers is on record as estimating Hawaii’s cost at $276 million. Nationally, the Department of Health and Human Services has put privacy implementation costs at $17.6 billion; Blue Cross-Blue Shield estimates $40 billion.
Other Fallout
There has been little discussion in the mainstream press of the negative consequences of poorly crafted privacy legislation, including:
- the increased paperwork privacy regulations impose on already over-burdened physicians and hospital staff;
- possible conflicts between state and federal laws;
- the potential harm to patients when access to medical history and treatment data is restricted; and
- the slowing of medical progress—ultimately affecting human health and lifespans—caused by increasing the regulatory burden on medical research. “Better, more efficient ways of treating patients are also likely to remain untested,” warns Greenwood in his Roll Call article, “because of difficulties in sharing data on clinical trials among different state.”
These are important issues, and they make clear that medical privacy is not the black-and-white, good-or-bad issue it is often made out to be. Complex problems call for carefully thought-out solutions; Hawaii offers just one example of what can happen when legislators are too quick to jump on a bandwagon.
