Hostname: page-component-78c5997874-xbtfd Total loading time: 0 Render date: 2024-11-05T15:48:53.417Z Has data issue: false hasContentIssue false

Medical Records and Your Privacy: Developing Federal Legislation to Protect Patient Privacy Rights

Published online by Cambridge University Press:  24 February 2021

Sharon J. Hussong*
Affiliation:
Eastern College, Political Science and Women's Studies; Boston University School of Law

Extract

In 1997, Judi Selig, a secretary for a South Carolina machinery firm, probably did not anticipate her employer's extreme reaction to her medical history. When her employer discovered that Ms. Selig had been exposed to hepatitis several years before, it demanded that she undergo a blood test and sign a medical release form so that the doctors in the employer's health plan could access her records. When Ms. Selig consented to the test but refused to sign the release form, her employer punished her by suspending her for a week without pay. Ms. Selig quit the company mainly because it threatened her privacy.

Type
Notes And Comments
Copyright
Copyright © American Society of Law, Medicine and Ethics and Boston University 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 American Political Network, Medical Privacy: Shalala Urges Congressional Action, Am. Health Line, Sept. 8, 1999, available in WL 9/8/99 APN-HE 4 [hereinafter Shalala Urges Congressional Action].

2 See Gullo, Karen, Medical Privacy Rules Debated, Assoc. Press, Feb. 17, 2000Google Scholar, available in 2000 WL 14321242.

3 See id.

4 See id.

5 See id.

6 Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936(1996).

7 See Medical Record Privacy: Hearing on Medical Records Confidentiality in a Changing Health Care Environment, 106th Cong. (1999) (opening statement of James M. Jeffords, sponsor of S. 578), available in 1999 WL 16946790 [hereinafter Changing Health Care].

8 See id.

9 See Gardner, Jonathan, Senate to Try Again on Records Privacy, Mod. Healthcare, Sept. 6, 1999, at 6.Google Scholar

10 See Clinton Unveils Limited Privacy Protection for Electronic Medical Records, Dow Jones Bus. News, Oct. 29, 1999, available in WL 10/29/99 DJBN 11:10:00 [hereinafter Clinton Unveils Limited Electronic Protection].

11 See id.

12 See id.; see also Haramboure, Diana, An Industry Unready for HIPAA 's Proposed Privacy Legislation, Health Mgmt. Tech., Aug. 1, 1999,Google Scholar available in 1999 WL 13225143 (describing the patient's dilemma: "I don't want the person across the table from me to have access to my medical information, yet I want it immediately available if 1 visit an emergency room").

13 See Gordon, Marcy, Lawmakers Form New Privacy Groups, Assoc. Press, Feb. 10, 2000,Google Scholar available in 2000 WL 12390090 (explaining that many Americans have raised concern over the issue of privacy as it pertains to their medical records).

14 See id. (stating that the task force is necessary because laws have failed to keep up with increased technology).

15 See id.

16 See id.; see also Keith Perine, The Privacy Police, the Standard, Feb. 14, 2000 (visited Nov. 28, 2000) <http://www.thestandard.com/article/display/0,l1519729,00.html> (noting that the caucus will push for "tough new privacy laws").

17 See Gullo, supra note 2 (reporting that Margaret Hamburg, assistant secretary at the Department of HHS, testified, "[e]mployers should not be able to use information obtained for health purposes to discriminate against individuals when making employment decisions").

18 See id.

19 See Changing Health Care, supra note 7.

20 See Loewenberg, Sam, The Politics of Medical Privacy, Legal Times, Mar. 22, 1999Google Scholar, at 4 (noting that restrictions on insurance and pharmaceutical companies' access to patient medical data impairs their ability "to provide high quality care and to engage in critical research").

21 See id. For example, IMS Corporation collects prescription drug data, such as dosage amounts and the number of drugs that patients are taking, and sells the data to pharmaceutical manufacturers for use in marketing and research. See id. at 4.

22 See id.

23 See id.

24 See id.

25 See Clinton Unveils Limited Electronic Protection, supra note 10 (noting that employers evaluate medical records when hiring new employees); see also American Political Network, Medical Privacy: Nation's Papers Calling for New Law, Am. Health Line, Nov. 10, 1999, available in WL 11/10/99 APN-HE 21 (noting that "[t]wo-thirds of adults say they don't trust that their medical records will remain confidential") [hereinafter Nation's Papers Calling for New Law].

26 Keto, Alex, Clinton Announces Electronic Medical Record Privacy Rules, Dow Jones News Serv., Oct. 29, 1999Google Scholar, available in WL 10/29/99 DJNS 09:58:00.

27 See id. When President Clinton announced the HHS regulations, he noted the ease with which a Pennsylvania company obtained detailed information about its employees' prescriptions. See American Political Network, Medical Privacy: 'Sweeping' Regulations Cause Much Debate, Am. Health Line, Nov. 1, 1999, available in WL 11/1/99 APN-HE 3 [hereinafter 'Sweeping' Regulations Cause Much Debate]; see also Ross, Sonya, Clinton Proposes Patient Privacy, AP ONLINE, Oct. 29, 1999Google Scholar, available in 1999 WL 28133539 (reporting Clinton's statement, "In 1999, Americans should never have to worry about the nightmare scenarios depicted in George Orwell's '1984.' I am determined to put an end to such violations of privacy").

28 See Keto, supra note 26.

29 See Clinton Backs Medical Privacy: President Announces Patient Privacy Plan, CBS Worldwide Inc. (1999) [hereinafter Clinton Backs Medical Privacy]. Janlori Goldman, director of the Health Privacy Project, noted, "People are very concerned that their medical records are being used in ways that could hurt them." Id.

30 See Nation's Papers Calling for New Law, supra note 25; see also Aston, Geri, Banking Bill Raises Privacy Concerns, Am. Med. News, Aug. 9, 1999Google Scholar, at 6 [hereinafter Banking Bill Raises Privacy Concerns]. Dr. Donald J. Palmisano, Trustee of the AMA, notes that even the new HHS regulations "could lead to situations in which information from an insurer about a patient's cancer diagnosis could result in the person being turned down for a mortgage." Id.

31 See American Political Network, Medical Privacy: Clinton Unveils Plan, Am. Health Line, Oct. 29, 1999, available in WL 10/29/99 APN-HE 4 (noting that the new rules promulgated by HHS bar disclosure of patients' treatment information to banks and credit card companies, since a consumer's credit status may be adversely affected) [hereinafter Clinton'Unveils Plan].

32 See Loewenberg, supra note 20, at 5; see also Geri Aston, State Laws Show Mixed Results on Privacy, Am. Med. News, Aug 9, 1999, at 5-6 (noting that consumers fear embarrassment, job loss, and denial of health insurance) [hereinafter State Laws Show Mixed Results on Privacy].

33 See Chilton, Lance, Privacy Protection of Health Information: Patient Rights and Pediatrician Responsibilities, 104 Pediatrics 973, 973 (1999)Google Scholar (noting that health providers may use electronic records to justify not paying out claims to patients predisposed to costly medical conditions).

34 See Clinton Backs Medical Privacy, supra note 29. Last year, two pharmacy chains provided a marketing company with the prescription information of thousands of customers without their knowledge or consent. The company then sent unsolicited letters to the customers, suggesting that they try a different drug or that they refill their current prescriptions. See id.

35 See Nation 's Papers Calling for New Law, supra note 25.

36 See State Laws Show Mixed Results on Privacy, supra note 32, at 6 (noting that patients may avoid medical tests because they fear their health information is not being kept private); see also Changing Health Care, supra note 7; Geri Aston, Delegates Firm up Privacy Policy, Am. Med. News, July 12, 1999, at 1 (describing the AMA's new patient confidentiality policy, which includes preserving the sanctity of the physician-patient relationship) [hereinafter Delegates Firm up Privacy Policy].

37 Delegates Firm up Privacy Policy, supra note 36, at 1.

38 See Changing Health Care, supra note 7.

39 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

40 See 'Sweeping' Regulations Cause Much Debate, supra note 27. HHS Secretary Shalala noted, "We have worked very hard to do what common sense and common decency says should have been done a long time ago." Id.

41 See Chilton, supra note 33, at 974.

42 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

43 See id.

44 See Nation's Papers Calling for New Law, supra note 25 (discussing the shortcomings of the regulations).

45 See Delegates Firm up Privacy Policy, supra note 36, at 1; see also Nation's Papers Calling for New Law, supra note 25 (noting that although doctors are "among the strongest supporters" of patient privacy legislation, they acknowledge that "data sharing can improve . . . treatment").

46 See Pear, Robert, Clinton to Stress Medical Privacy: Regulations on Confidentiality of Records to be Proposed Soon, San Diego Union-Trib., Oct. 27, 1999Google Scholar, at Al.

47 See id.

48 See id. (quoting the vice president of the American Psychiatric Association (APA) as saying that the proposal would "take away some of the power that patients have traditionally had to decide when and if their records are released to third parties"); see also Brian J. Jones , A Survey of Fortune 500 Corporate Policies Concerning the Psychiatrically Handicapped, J. of Rehabilitation, Oct.-Dec. 1991, at 31, 33 (noting that of the 127 Fortune 500 companies responding to the survey, only thirteen companies have a formal written policy "specifically concerning the hiring of the psychiatrically handicapped," while only eleven companies "have a formal policy specifically concerning their promotion and advancement"). Id. Since the HHS rules permit psychotherapists to release a summary of a patient's diagnosis, prognosis, and progress without gaining the patient's consent, it is apparent that employers may still be tempted to use an employee's medical records as a screening method when making hiring and promotion decisions. See 45 C.F.R. § 164.508(3)(i)(A) (2000); see also Keto, supra note 26.

49 See 45 C.F.R. § 160.102(a)-(c) (defining a covered entity as "[a] health plan; [a] health care clearinghouse; and [a] health care provider who transmits any health information in electronic form").

50 Id. § 164.508(a)(2)(D)(ii)(A)-(C) (noting that "non-health related divisions of the covered entity [include] . . . use in marketing life or casualty insurance or banking services").

51 Id. § 164.516(a)(1).

52 Pear, supra note 46, at Al.

53 See 45 C.F.R. § 160.203(b).

54 Id. § 164.506(b)(1).

55 Id. § 164.514(d)(3)(iv).

56 See 'Sweeping' Regulations Cause Much Debate, supra note 27.

57 Id.

58 See 45 C.F.R. § 164.508(3)(i)(A) (stating that covered entities must obtain authorization for access to psychotherapy notes).

59 Id.

60 Id. § 164.508(3)(iv)(A).

61 Id.

62 SeeAmy Goldstein, Clinton Issues Shield for Patients' Records, Boston Globe, Oct. 29, 1999, at Al; see also Keto, supra note 26 (citing the peculiar dangers associated with disseminating electronic records, including an instance where "a medical center inadvertently stored confidential health care records on a public website for two months before realizing the information was being given out"); see also Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936(1996).

63 See Goldstein, supra note 62, at Al.

64 See id.

65 Law enforcement officials are defined as "officer[s] of an agency or authority of the United States . . . who [are] empowered by law to conduct [a]n investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or [a] criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law." 45 C.F.R. § 164.504(2)(ii)(l)-(2).

66 See Pear, supra note 46, at Al (noting that some law enforcement officials fear that the HHS rules "may go too far").

67 See Goldstein, supra note 62, at Al.

68 See 45 C.F.R. § 164.510(f)(C)(l)-(3); see also Pear, supra note 46, at Al.

69 See Goldstein, supra note 62, at Al.

70 See Pear, supra note 46, at Al. "The information sought [must be] relevant and material to a legitimate law enforcement inquiry; [and] [f]he request [must be] as specific and narrowly drawn as is reasonably practicable." 45 C.F.R. § 164.510(f)(c)(l)-(2).

71 See Pear, supra note 46, at Al.

72 See id. Law enforcement officials also fear that a suspect's "privacy rights" will shield him or her from being brought to justice. See id. Therefore, officials support the right to "ask hospitals to notify them if a fleeing suspect shows up for treatment of a gunshot wound" so they can locate suspects more quickly. Id.

73 See 'Sweeping' Regulations Cause Much Debate, supra note 27 (noting that many representatives of physicians' groups do not believe the HHS regulations go far enough). William Bruno, an attorney for the APA, notes that "patients stand to lose some of the protections they already have." Id.

74 Pear, supra note 46, at Al.

75 'Sweeping' Regulations Cause Much Debate, supra note 27.

76 See id. ("The AMA believes that the mere notice of a health plan's intended use is inadequate.").

77 See Patient Records Confidentiality: Identity Crisis, Am. Med. News, Aug. 9, 1999, at 15.

78 'Sweeping' Regulations Cause Much Debate, supra note 27.

79 See Patient Records Confidentiality: Identity Crisis, supra note 77.

80 See 'Sweeping' Regulations Cause Much Debate, supra note 27.

81 See id.

82 Id.

83 See id.

84 See id. The Clinton administration and the insurance industry vary widely in their cost estimates for implementing the rules. See id. While the Clinton administration estimated costs at $3.8 billion over the next five years, the insurance industry claimed the cost would be "ten times that amount." Id. (noting that some federal officials estimate that the rules will cost physicians, hospitals, and HMOs over $400 million to notify patients of their rights); see also Pear, supra note 46, at Al (noting that federal officials believe the insurance industry's estimates are "grossly exaggerated"). Patients' requests to have their medical records corrected alone could cost around $2 billion over five years. See 'Sweeping' Regulations Cause Much Debate, supra note 27.

85 'Sweeping' Regulations Cause Much Debate, supra note 27.

86 Pear, supra note 46, at Al.

87 See 'Sweeping' Regulations Cause Much Debate, supra note 27.

88 See id. The HHS regulations apply to "health planfs] . . . health care clearinghouse^] . . . [and] health care providers] who [transmit] any health information in electronic form." 45 C.F.R. § 160.102(a)-(c).

89 45 C.F.R. § 160.504.

90 See 'Sweeping' Regulations Cause Much Debate, supra note 27.

91 See Shalala Urges Congressional Action, supra note 1 (noting a Las Vegas Sun editorial urging Congress to "take action to preserve the privacy of medical records"); see generally Nation 's Papers Calling for New Law, supra note 25 (noting that Congress has to address the "loopholes" in the HHS rules).

92 See Clinton Unveils Limited Electronic Protection, supra note 10.

93 See Keto, supra note 26. President Clinton stated, "I believe Congress should act. . . . There are still protections .. . we can give our families only if an act of Congress is passed. For example, only through legislation, can we cover all paper records and all employers." Id. HIPAA, the 1996 legislation that permitted HHS to promulgate regulations, limited the rules' scope to electronic records. See Goldstein, supra note 62, at Al.

94 See 'Sweeping' Regulations Cause Much Debate, supra note 27.

95 Id.

96 See id.

97 See Privacy Commission Act, H.R. 4049, 106th Cong. (2000).

98 Id. § 3. Although H.R. 4049 proposes a Commission for further studying privacy issues, rather than specifically proposing privacy legislation for protecting patients' medical records, H.R. 4049 recognizes the need for improved legislation protecting the confidentiality of medical records. The bill states, "There is a growing concern about the confidentiality of medical records, because there are inadequate Federal guidelines and a patchwork of confusing State and local rules regarding privacy protection for individually identifiable patient information." Id. § 2(3).

99 See H.R. 4049, § 5(a)(l)-(5).

100 See id. § 4(a).

101 Id. § 4(a)(3).

102 See id. § § 4(c)(1), 4(d).

103 Id. § 4(c)(2)(D).

104 For a discussion of the proposed Senate and House bills, see infra Parts III.A.-G.

105 See Health Care Personal Information Nondisclosure Act of 1999, S. 578, 106th Cong. (1999).

106 See Gardner, Jonathan, Congress Considers Patient Privacy Bills, Mod. Healthcare, Apr. 12, 1999Google Scholar, at 8 (noting that Senator Jeffords is the chairperson of the Health, Education, Labor, and Pensions Committee, which has jurisdiction over proposed privacy legislation in the Senate); see also Delegates Firm up Privacy Policy, supra note 36, at 30. But see Loewenberg, supra note 20, at 4 (noting that privacy advocates are more supportive of Senator Leahy's bill). For a discussion of Senator Leahy's bill, see infra Part III.C.

107 S. 578, § 101(a).

108 Seei'rf. § 102(a).

109 See id. § 103(a)(1).

110 Haramboure, supra note 12; see also S. 578, § 201(b)(1) (emphasis added).

111 See S. 578, § 314(a)-(b). For a discussion of the individual's private right of action, see infra Part IV.B.

112 Id. §205.

113 See id. §§ 401(a)(1), 402; see also State Laws Show Mixed Results on Privacy, supra note 32, at 6. For a discussion of federal preemption, see infra Part IV. A.

114 See S. 578, § 208(c).

115 Id. § 208(d)(3).

116 See Loewenberg, supra note 20, at 4. The Common Rule also applies to research geared toward winning product approval from the Food and Drug Administration. See id.

117 Id.

118 See id.

119 See Medical Information Privacy and Security Act, S. 573, 106th Cong. (1999).

120 See S. 573, § 201(a)(1) (stating that health care entities are forbidden from "disclosing] or us[ing] protected health information except as authorized under this Act").

121 See Haramboure, supra note 12.

122 S. 573, § 101(a)(1).

123 See id. § 101(a)(2). However, the bill further states, "Such fees may not be assessed where such an assessment would have the effect of inhibiting an individual from gaining access to the information." Id. For a discussion of the individual's private right of action, see infra part IV.B.

124 See id. § 323 (a)(2), (b).

125 See id. § 202 (c)(1); see also Haramboure, supra note 12.

126 See Loewenberg, supra note 20, at 4.

127 See S. 573, § 103(b)(l)(A)-(B).

128 See id. § 401(a). For a discussion of federal preemption, see infra Part IV.A.

129 See Medical Information Protection Act of 1999, S. 881, 106th Cong. (1999).

130 See id. § 202(a)(1); see also Delegates Firm up Privacy Policy, supra note 36, at 30. For a discussion of Senator Jeffords' bill, see supra Part II1.B.

131 S. 881, § 101(a)(1).

132 Id. § 101(a)(4).

133 Delegates Firm up Privacy Policy, supra note 36, at 30.

134 See S. 881, § 401(a). For a discussion of federal preemption, see infra Part .v'.A.

135 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

136 See Delegates Firm up Privacy Policy, supra note 36, at 30 ("[Technology and efficiency must come second to the patient's best interest, to the patient's right to make a decision, to the patient's right to informed consent.").

137 S. 881, § 208(a)(1).

138 See Medical Information Protection and Research Enhancement Act of 1999, H.R. 2470, 106th Cong. (1999).

139 See Review Boards Provide Confidentiality Safeguard in Rep. Greenwood's Bill, the Blue Sheet, July 21, 1999, available in 1999 WL 10783896. For a discussion of Senator Bennett's bill, see supra Part III.D.

140 See Review Boards Provide Confidentiality Safeguard in Rep. Greenwood's Bill, supra note 139; see also H.R. 2470, § 208(a)(1) (noting that health care entities may disclose protected health care information "to a health researcher if the research project has been approved by an IRB pursuant to the requirements of the Common Rule, as implemented by a Federal agency").

141 See Loewenberg, supra note 20, at 4. The Common Rule "governs safety and privacy issues in research that is performed either with government funds or with the purpose of winning Food and Drug Administration approval for a product." Id.

142 Review Boards Provide Confidentiality Safeguard in Rep. Greenwood's Bill, supra note 139.

143 See Loewenberg, supra note 20, at 4-5. R. Alta Charo, a member of the National Bioethics Advisory Committee, describes the current dilemma: "We don't know how much research is going on, how many people are involved, whether there have been any adverse effects on these people, and whether steps are being taken to correct these adverse effects." Id. at 4.

144 See Review Boards Provide Confidentiality Safeguard in Rep. Greenwood's Bill, supra note 139. Representative Edward Markey (D-MA), who co-sponsored Representative Gary A. Condit's (DCA) privacy bill, Health Information Privacy Act, H.R. 1941, 106th Cong. (1999), claims that Representative Greenwood's bill "has the endorsement of industry and industry alone." Id. For a discussion of Representative Condit's bill, see infra Part II1.F.

145 See H.R. 2470, § 401(a). For a discussion of federal preemption, see infra Part IV.A.

146 See H.R. 2470, § 401(a).

147 See Review Boards Provide Confidentiality Safeguard in Rep. Greenwood's Bill, supra note 139. For a discussion of Senator Bennett's bill, see supra Part III.D.

148 See Health Information Privacy Act, H.R. 1941, 106th Cong. (1999).

149 See Democrats' ConsensusMedical Privacy Bill Allows HHS Greater Discretion, the Blue Sheet, June 2, 1999, available in 1999 WL 10783796.

150 See H.R. 1941, § 203(a) (emphasis added).

151 See id. § 202(a) (emphasis added).

152 See Democrats' ConsensusMedical Privacy Bill Allows HHS Greater Discretion, supra note 149.

153 See id.

154 See. e.g., Medical Information Privacy and Security Act, H.R. 1057, 106th Cong. (1999) (sponsored by Rep. Edward Markey (D-MA)).

155 See M. § 111(c).

156 H.R. 1941, § 103(a) (emphasis added).

157 See id. § 102(c) (noting that "[n]othing in this Act shall be construed as requiring disclosure of protected health information that is not otherwise required to be disclosed by law"). For a discussion of Senator Leahy's bill, see supra Part III.C.

158 See Haramboure, supra note 12.

159 See id.

160 H.R. 1941, § 104(c) (emphasis added).

161 See id. § 405(a)(1).

162 See id. § 405(a)(2).

163 See id. § 405(c); see also Jaffee v. Redmond, 518 U.S. 1 (1996).

164 See Personal Medical Information Protection Act of 1999, H.R. 2404, 106th Cong. (1999).

165 See, e.g., id. § 208(c).

166 See id. § 208(d)(1).

167 See id. § 314(a). Section 314(b) specifies mediation, arbitration and early offers of settlement as the methods of alternative dispute resolution.

168 Id. § 103(b).

169 See H.R. 2404, §203( f

170 Id. § 311(a)(l)-(3). Section 312 describes the "Procedures for Imposition of Penalties."

171 Id. § 208(d)(1).

172 Id. § 111(b).

173 See id. §211(a)-(b).

174 See id. §212.

175 See H.R. 2404, § 401(a). For a discussion of federal preemption, see infra Part IV.A.

176 See H.R. 2404, § 101(a)(1).

177 See id. § 101(a)(2).

178 See Delegates Firm up Privacy Policy, supra note 36, at 1.

179 Id.

180 See id. at 30.

181 See id.

182 See id. ("Of the 3,000 to 5,000 IRBs, approximately 1,200 are under public oversight and subject to the Common Rule.").

183 See id.

184 See id.

185 Id.

186 See id.

187 See id. at 30.

188 See id.

189 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

190 See id.

191 See id.

192 See id.

193 See id.

194 See S. 578; S. 573; S.881 (all supporting a patient's right to view and correct his/her medical records).

195 See State Laws Show Mixed Results on Privacy, supra note 32, at 5 ("For example, 33 states allow patients to access their hospital records, but only 13 give people the same right regarding their HMO records."); see also Nation's Papers Calling for New Law, supra note 25 (noting that "patient access to their records is denied in 28 states and only 34 have protection laws").

196 See State Laws Show Mixed Results on Privacy, supra note 32, at 5. Proposed bills such as H.R. 2404 would establish civil monetary penalties when law enforcement agencies, health care organizations, employers, health researchers and health care providers use patient data without first obtaining written authorization from the patient. See H.R. 2404, § 311.

197 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

198 See id.

199 See Rebecca L. Jackson , Federal Legislation to Protect Patient Confidentiality Not Expected Before Fall, Met. Corp. Counsel, Aug. 1999, available in WL 08/99 METOC 15, (col. 1).

200 See id.; see also R.I. Gen. Laws Ann. § 23-17.5-14 (1999). "The patient's right to privacy and confidentiality shall extend to all records pertaining to the patient . . . the right to privacy and confidentiality relates to the public dissemination of specific information contained within patient records and to the identification of specific individuals . . . ." R.I. Gen. Laws Ann. § 23-17.5-14(a)-(b)(1999).

201 See Jackson , supra note 199; see also Mass. Gen. Laws Ann. ch. 111, § 70E(b) (West 2000). "Every patient or resident of a facility shall have the right to confidentiality of all records and communications to the extent provided by law." Mass. Gen. Laws Ann. ch. Ill , § 70E(b) (West 2000).

202 See Jackson , supra note 199; see also Va. Code Ann. § 32.1-127.1:03 (Michie 2000).

203 See Jackson , supra note 199. "There is hereby recognized a patient's right of privacy in the content of a patient's medical record. .. . No person . . . shall redisclose or otherwise reveal the records of a patient, beyond the purpose for which such disclosure was made, without first obtaining the patient's specific consent to such redisclosure." Va. Code Ann. § 32.1-127.1:03(A) (Michie 2000).

204 See N.H. Rev. Stat. Ann. § 151:21 (1999). A patient's medical record includes "all information contained in the patient's personal and clinical record, including that stored in an automatic data bank." N.H. Rev. Stat. Ann. § 151:21 (1999). For a "reasonable cost," a patient may copy his or her records. Id.

205 Conn. Gen. Stat. Ann. § 19a-550(b)(9) (West 2000).

206 Jackson , supra note 199.

207 See Pear, supra note 46, at Al.

208 See HHS to Move Slowly on Privacy Regs; Congress Could Act by December, the Pink Sheet, Aug. 16, 1999, available in 1999 WL 8676662.

209 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

210 See id.

211 See id.

212 See id. (noting that Dr. Richard Levinson, Associate Executive Director of Programs and Policy at the American Public Health Association, believes privacy advocates should not rely on state laws to provide patients with privacy protection). Dr. Levinson has stated that "the country needs one national law that is strong enough to give patients the confidence to get tested and doctors the assurance they can pass information on to the public health community." Id.

213 See id.

214 See id.

215 See id. (noting that uniform national legislation could "fill in gaps" in state laws without weakening stronger state privacy laws).

216 See Nation's Papers Calling for New Law, supra note 25 (quoting a Baltimore Sun editorial from November 8, 1999 that states, "Clinton's proposed rules leave Americans with only partial protection. Further protections, in a new law, are required").

217 See Pear, supra note 46, at Al.

218 See Jackson , supra note 199 (noting that disagreement over an individual's private right of action has caused "repeated snags" during deliberations within the Senate Health, Education, Labor and Pensions Committee).

219 See id.

220 See id.

221 See S. 573, § 208(a). Furthermore, such provisions are not designed to "limit or restrict the ability of law enforcement authorities to gain information while in hot pursuit of a suspect or if other exigent circumstances exist." Id. § 208(i).

222 Id. §§ 202(c)(3), 204.

223 See id. § 204(b)(l)-(3).

224 Id.

225 See id. § 323(b).

226 See S. 578, §215.

227 Id.

228 Id. § 202(C)(4).

229 See id. § 314(a)-(b).

230 See Gardner, supra note 9, at 6.

231 See id.

232 See id.

233 See id.

234 See id. (noting that insurance companies, health care providers and employers oppose a private right of action); see also 'Sweeping' Regulations Cause Much Debate, supra note 27 (quoting Senator Jeffords' pledge to draft legislation that would "give patients and their health records the true privacy protection they deserve").

235 See Studdert, David M., Expanded Managed Care Liability: What Impact on Employer CoverageŒ, Health Aff., Nov .-Dec. 1999,Google Scholar at 8, 24 (concluding that "the direct costs of liability are uncertain but . . . the prospect of litigation may have other important effects on coverage decision making, information exchange, risk contracting, and the extent of employers' involvement in health coverage").

236 See id. at 9.

237 481 U.S. 41 (1987).

238 See id. at 47-48.

239 See Studdert , supra note 235, at 9-10.

240 See Harris, Geoffrey E., Managed Care At a Crossroads: A Wall Street View of Managed Care's Mistakes and Misfortunes, and a Prognosis for Survival in an Increasingly Hostile Environment, Health Aff., Jan.-Feb. 2000CrossRefGoogle Scholar, at 157, 161 (claiming that the threat of litigation will erode the managed care industry's ability to contain costs).

241 Id. at 161.

242 See id. at 157 (noting that "managed care has increased access to the health care delivery system by expanding coverage for pharmaceuticals, alternative medicine, preventive care services such as health screening, and primary care services").

243 See Studdert , supra note 235, at 13 (noting that even when the managed care industry learns of recent litigation outcomes, they "show a propensity to respond inefficiently and overreact to the small possibility of having to pay large penalties for certain behavior").

244 See id. Since non-ERISA employee benefit plans, such as governmental and church plans, are not shielded from state tort claims, researchers decided to study the litigation costs incurred by nonERISA employee benefit plans and approximate what comparable litigation would cost in the ERISA sector. Coopers & Lybrand commissioned a study of two groups of state government employees and one group of local government employees. They discovered that if ERISA employees sued at a similar rate as the non-ERISA employees, the litigation costs would be approximately between three and thirteen cents per enrollee per month. See id. at 14-15.

245 See id. at 17. However, alternative dispute resolution appears to be a double-edged sword for the managed care industry. Although it may reduce litigation expense, it may increase an injured individual's access to monetary compensation. See id.

246 See id. at 8.

247 See State Laws Show Mixed Results on Privacy, supra note 32, at 6.

248 See Health Insurance Portability and Accountability Act of 1996, supra note 6.

249 'Sweeping' Regulations Cause Much Debate, supra note 27.

250 H.R. 1941, § 203(a).

251 See H.R. 2470, § 101(a)(4).

252 See S. 573, § 101(a)(2).

253 See Jones , supra note 48, at 31 (noting that "physically handicapped employees are widely perceived to be more desirable than psychiatrically handicapped employees"). When Fortune 500 respondents were asked to rank the following in terms of their desirability as employees: psychiatrically handicapped, physically handicapped, mentally retarded, ex-offenders, and alcohol/drug problems, the physically handicapped were ranked as the most desirable. The ranking of the psychiatrically handicapped had a response pattern very similar to the ranking of the mentally retarded. Employees with alcohol/drug problems were rated the least desirable. See id. The National Institute of Mental Health relates a story, albeit with names and details changed, chronicling the stigma the psychiatrically impaired face when seeking employment. Six months after she was hired, Nicki Selden revealed to her boss that she had been a mental patient. Since Selden was taking medication that occasionally caused her to feel sick and miss work, she believed she should share this information with her boss. Four days later, Selden was fired. See National Institute of Mental Health, the Fourteen Worst Myths About Recovered Mental Patients (1988).

254 H.R. 1941, § 104(c) (emphasis added).

255 See id. § 405(a)(1).

256 See S. 578, § 402.

257 Id. §215.