HEALTH INFORMATION PRIVACY S.B. 465 (S-2)-468: FIRST ANALYSIS




Senate Bill 465 (Substitute S-2 as reported by the Committee of the Whole)
Senate Bill 466 (Substitute S-2 as reported)
Senate Bill 467 (Substitute S-1 as reported)
Senate Bill 468 (as reported without amendment)
Sponsor: Senator Gilda Z. Jacobs (S.B. 465) Senator Bruce Patterson (S.B. 466) Senator Tom George (S.B. 467) Senator Deborah Cherry (S.B. 468)
Committee: Health Policy


Date Completed: 4-26-06

RATIONALE


Over the last several years, the privacy of individual health information has been of increasing concern. The Federal Health Insurance Portability and Accountability Act (HIPAA) was enacted to restrict who may view or receive a patient's health information and how that information may be used. For example, under HIPAA, a person's health information may not be disclosed to his or her employer or shared for marketing purposes without the patient's authorization. It may be used for the coordination of care or payment purposes, and shared with others identified by the patient. Despite the enactment of measures to increase protection, some people believe that privacy concerns remain with regard to medical records--particularly their maintenance and disposal--and the disclosure of some health information. It has been suggested that State law should mandate the confidentiality of medical records and limit the disclosure of certain information, while ensuring that patients and their health care providers could gain access to records necessary to obtaining care.

CONTENT


Senate Bill 465 (S-2)
would amend the Public Health Code to do the following:

-- Require an individual licensed under the Code to maintain a record for each patient (as currently required of a health facility or agency).
-- Require the records maintained by a licensee or a health facility or agency to be kept for at least seven years, or longer if required by law or generally accepted standards of medical practice.
-- Require a licensee or a health facility or agency that was unable to comply with the record maintenance requirements to contract with another provider or entity to do so.
-- Require a licensee, facility, or agency, upon ceasing to practice or operate, to notify patients and the Department of Community Health (DCH) and either transfer or destroy medical records as specified.
-- Allow a licensee, facility, or provider to destroy a record that was less than seven years old if the patient first were notified and given the opportunity to request a copy of the record, and authorized the destruction.
-- Establish a maximum $10,000 administrative fine for a person who failed to comply with the record maintenance and disposal requirements if the failure were the result of gross negligence or willful and wanton misconduct.
-- Require a licensee and an applicant for licensure to give the DCH an affidavit concerning their maintenance of medical records.


Senate Bill 466 (S-2)
would amend the Social Welfare Act to increase from six to seven years the length of time a provider must retain the health care records of an individual enrolled in Medicaid; and prescribe standards for the disposal of a Medicaid patient's medical records.


Senate Bill 467 (S-1) would amend the Public Health Code to provide for the confidentiality of information regarding genetic testing performed on an individual; restrict the disclosure of such information; and authorize sanctions to be imposed on a person who violated the bill's provisions.


Senate Bill 468 would amend the Freedom of Information Act to allow a public body to exempt from disclosure as a public record protected health information.

The bills are described below in further detail.

Senate Bill 465 (S-2)
The Public Health Code requires a health facility or agency to keep and maintain a record for each patient, including a full and complete record of tests and examinations performed, observations made, treatments provided, and, in the case of a hospital, the purpose for hospitalization. A hospital that fails to comply with this requirement is subject to an administrative fine of $10,000.


The bill would require an individual licensed under Article 16 (Occupations) of the Code also to keep and maintain a record for each patient for whom he or she had provided medical services, including a full and complete record of tests and examinations performed, observations made, and treatments provided.

A health facility or agency, or a licensee, would have to be keep and retain each record for at least seven years from the date of service to which the record pertained, or longer if otherwise required under Federal or State laws or regulations, or by generally accepted standards of medical practice. A licensee or health facility or agency could destroy a record that was less than seven years old if the licensee, facility, or agency sent a written notice to the patient at his or her last known address informing him or her that the record was about to be destroyed and offering him or her the opportunity to request a copy of it before it was destroyed, and the licensee, facility, or agency received written authorization from the patient or his or her authorized representative agreeing to the destruction. The records would have to be maintained in a manner that protected their integrity, ensured their confidentiality and proper use, and ensured their accessibility and availability to each patient or his or her authorized representative as required by law.


If a licensee or a health facility or agency were unable to comply with the record-keeping requirements, the person, facility, or agency, would have to employ or contract, arrange, or enter into an agreement with another health care provider, health facility or agency, or medical records company to protect, maintain, and provide access to the records.


If a licensee sold or closed his or her practice, or otherwise ceased to practice under Article 16, he or she or, if the licensee were deceased, his or her personal representative, could not abandon the required records. A health facility or agency that closed or otherwise ceased operation also could not abandon the records required to be maintained. The licensee or personal representative, or the health facility or agency, would have to send to the DCH a written notice that specified who would have custody of the records and how a patient could request access to or copies of them.


The licensee or personal representative, or the health facility or agency, also would have to do either of the following:

-- Transfer the records to a successor licensee, or successor health facility or agency; to the patient or a specific health facility or agency or other licensed health care provider, if requested or designated by the patient or his or her authorized representative; or to a health care provider, health care facility or agency, or medical records company with which the licensee or the health facility or agency, had contracted or entered into an agreement to protect, maintain, and provide access to the records.
-- Destroy the records as long as the licensee or, if the licensee were deceased, his or her personal representative, or the health facility or agency, sent a written notice to the last known address of each patient for whom the licensee, facility, or agency had provided medical services.


The notice would have to give the patient 30 days to designate where he or she would like his or her records transferred in lieu of being destroyed. If the patient failed to request a transfer within the 30-day period, the licensee or his or her personal representative, or the health facility or agency, could destroy the records in accordance with the bill.


Except as otherwise provided under the bill or Federal or State laws and regulations, records required to be maintained under the Code or the bill could be destroyed or otherwise disposed of after being maintained for seven years. If the records subsequently were destroyed or otherwise disposed of, they would have to be shredded, incinerated, electronically deleted, or otherwise disposed of in a manner that ensured continued confidentiality of the patient's health care information and any other personal information.


If records were destroyed or otherwise disposed of in accordance with the bill, the DCH could take action, including contracting for or making other arrangements to ensure that the records and any other confidential identifying information related to the patient properly were destroyed or disposed of to protect the confidentiality of the patient's health care and personal information. Before taking action, the DCH, if able to identify the licensee or health facility or agency responsible for the improper disposal of the medical records at issue, would have to send a written notice to the licensee at his or her last known address or place of business on file with the Department, or to the facility or agency at its last known address on file, and give the licensee, facility, or agency an opportunity to destroy or dispose of the records properly, unless a delay in the proper destruction or disposal could compromise the patient's confidentiality. The DCH could assess the licensee or the health facility or agency with the costs the Department incurred to enforce these requirements.

A person who failed to comply with the requirements for record maintenance, transfer, or disposal would be subject to a maximum $10,000 administrative fine if the failure were the result of gross negligence or willful and wanton misconduct.


The bill specifies that nothing in proposed Section 16213 (concerning licensees' maintenance, disposal, and transfer of records) or proposed Section 20175a (concerning health facilities' and agencies' transfer of records) could be construed to create or change the ownership rights to any medical records.


Additionally, an applicant for licensure, and, beginning with the license renewal cycle after the bill took effect, an applicant for a renewal license would have to give the DCH, on the application or the license renewal form, an affidavit stating that he or she had a written policy for protecting, maintaining, and providing access to his or her medical records in accordance with Section 16213 and for complying with that section in the event that the licensee sold or closed his or her practice, retired from practice, or otherwise ceased to practice. The applicant or licensee would have to make the written policy available to the DCH upon request.


The Code requires DCH employees and officers to respect the confidentiality of patient clinical records, and prohibits them from divulging or disclosing the contents of records in a manner that identifies an individual except pursuant to a court order. Under the bill, a DCH employee or officer also could divulge or disclose the contents of records as otherwise authorized by law.

(Under the bill, "medical record" or "record" would mean information, oral or recorded in any form or medium, that pertains to a patient's health care, medical history, diagnosis, prognosis, or medical condition and that is maintained by a licensee in the process of providing medical services.

"Medical records company" would mean a person who contracted for or agreed to protect, maintain, and provide access to medical records for a health care provider or health facility or agency in accordance with Section 16213 (which the bill would add) or Section 20175 (which the bill would amend).

"Patient" would mean an individual who receives or has received health care from a health care provider or health facility or agency. The term would include a guardian, if appointed; and a parent, guardian, or person acting in loco parentis, if the individual were a minor, unless the minor obtained health care lawfully without the consent or notification of a parent, guardian, or person acting in loco parentis. In that case, the minor would have the exclusive right to exercise the rights of a patient under the bill with respect to his or her medical records relating to that care.)

Senate Bill 466 (S-2)

Under the Social Welfare Act, a Medicaid provider must maintain records necessary to document fully the extent and cost of services, supplies, or equipment provided to a medically indigent individual and to substantiate each claim and, in accordance with professionally accepted standards, the medical necessity, appropriateness, and quality of service rendered for which a claim is made. The provider must retain each record for six years after the date of service. The bill would increase that period to seven years.


Additionally, the bill would require a provider to maintain, retain, and dispose of patient medical records and other individually identifying information in accordance with the requirements described above, any other applicable State or Federal law, and the most recent provider agreement.


At a minimum, if a provider were authorized to dispose of patient records or other patient identifying information, including records described above, the provider would have to ensure that medical records that identified a patient and other individually identifying information sufficiently were deleted, shredded, incinerated, or disposed of in a fashion that would protect the confidentiality of the patient's health care information and personal information. The Department of Human Services (DHS) could take action to enforce the record disposal provisions. If the DHS could not enforce compliance, it could enter into a contract or make other arrangements to ensure that patient records and other individually identifying information were disposed of in a fashion that would protect the confidentiality of the information. The DHS could assess costs associated with that disposal against the provider.


The provider's responsibilities with regard to maintenance, retention, and disposal of patient medical records and other individually identifying information would continue after the provider ceased to participate in the Medicaid program for the time period specified under the Act.

Senate Bill 467 (S-1)

Physicians


Under Sections 17020 and 17520 of the Public Health Code, a physician or an individual to whom the physician has delegated authority to perform a selected act, task, or function may not order a presymptomatic or predictive genetic test without first obtaining the test subject's written, informed consent. (The informed consent requirements and definitions are described below, under BACKGROUND.)


Under the bill, the fact that a presymptomatic or predictive genetic test had been ordered and conducted under Section 17020 or 17520, and the results of that test would be privileged and confidential. Except as otherwise provided by law, a person could not disclose that a test had been ordered or conducted, or the test results, for purposes other than treatment, payment, or health care operations as provided under HIPAA and regulations promulgated under it, without first obtaining written authorization from the test subject or his or her legally authorized representative.


The written authorization would have to identify to whom the information was to be disclosed, and would have to include the following notice:

"NOTICE OF RIGHTS WITH REGARD TO GENETIC TESTING AND INFORMATION:


Michigan law restricts requests by health insurers, nonprofit health care corporations, health maintenance organizations, and employers for individuals to submit to genetic testing, to disclose genetic information, or to disclose whether genetic testing has been conducted or the results of that genetic testing. Individuals who have questions about their rights may seek legal advice."


The bill specifies that a general consent or authorization given for the release of medical records or other medical information would not constitute written authorization for disclosure of genetic information. The informed consent form required for the performance of genetic testing would satisfy the bill's written authorization requirements for disclosure if that form identified to whom the genetic information was being provided, included the notice described above, and required a signature for the disclosure separate from the signature required for the performance of the genetic testing. If the test subject or his or her legally authorized representative provided written authorization, the person would have to do each of the following:

-- Provide the test subject with a copy of the signed written authorization.
-- Maintain the original signed written authorization in the subject's medical record.
-- Provide the test subject and the person to whom the information was being disclosed with a notice regarding restrictions on further disclosure of genetic testing and information.


The notice would have to read as follows:

"RESTRICTIONS ON FURTHER DISCLOSURE OF GENETIC TESTING AND INFORMATION


This information is privileged and confidential. This information is being provided to you in accordance with Michigan law and shall not be further disclosed without a separate written authorization from the test subject or his or her legally authorized representative. A general consent or authorization for the release of medical records or other information is not sufficient to authorize the disclosure of genetic testing and information."


If a test subject consented to the performance of a genetic test for the sole purpose of assisting in the recovery or identification of human remains from a disaster or assisting in the identification of living or deceased missing people by matching forensic DNA profiles in the event of an emergency or disaster, those results, as well as the DNA profiles, could be disclosed and used only for those identification purposes. They would not be public records, subject to court subpoena, or discoverable in a legal proceeding. Consent provided for testing and DNA profiling for these purposes would not be consent for secondary research using those results or DNA profiles or any other use except for the identification of living or deceased missing people.
Health Facilities & Agencies


Under the bill, all reports, records, and data pertaining to genetic testing or other genetic information would be privileged and confidential. Except as otherwise provided by law, a health facility or agency could not disclose the test results of a presymptomatic or predictive genetic test, or the fact that such a test was ordered, for purposes other than treatment, payment, or health care operations as provided under HIPAA, without first obtaining written authorization from the test subject or his or her legally authorized representative, as required under the bill.


If the test subject or legally authorized representative agreed to the disclosure of information relating to his or her genetics or the presymptomatic or predictive genetic testing, or both, he or she would have to provide the health facility or agency with the requisite written authorization.


If the test subject or representative provided written authorization for disclosure, the health facility or agency would have to give the test subject a copy of the signed written authorization, maintain the original in the subject's medical records, and give the test subject and the person to whom the information was being disclosed the notice regarding restrictions on further disclosure of genetic testing and information (described above).

A health facility or agency also would be subject to the requirements and restrictions described above pertaining to a test subject's consent to the performance of genetic testing to assist in the recovery or identification of human remains or missing people.


Sanctions


Under the Code, the Department of Community Health may investigate activities related to the practice of a health profession by a licensee, a registrant, or an applicant for licensure or registration. The DCH must report its finding to the appropriate disciplinary subcommittee, which must impose administrative sanctions if it finds the existence of certain grounds, such as personal disqualifications, unethical business practices, prohibited acts, or the violation of specific provisions of the Code (including the requirement for a test subject's written, informed consent to a presymptomatic or predictive genetic test). The sanctions may include a reprimand; probation; the denial, suspension, or revocation of a license or registration; restitution; community service; and/or a fine.


Under the bill, the grounds for administrative sanctions would include a violation of the bill's provisions regarding the disclosure of genetic testing information.

Senate Bill 468
Under the Freedom of Information Act, a person has a right to inspect, copy, or receive copies of a public record, upon making a request that describes the public record sufficiently to enable a public body to find it. A public body, however, may exempt certain information and documents from disclosure. These include medical, counseling, or psychological facts or evaluations concerning an individual if his or her identity would be revealed by a disclosure of those facts or evaluations. The bill also would include protected health information, as defined in 45 CFR 160.103.

(Under 45 CFR 160.103, "protected health information" means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. The term excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, records described in 20 USC 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

"Covered entity" means a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with certain transactions.


Records described in 20 USC 1232g(a)(B)(4)(iv) are records on a student who is at least 18 years old, or is attending an institution of postsecondary education, that are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional or paraprofessional capacity, or assisting in that capacity, and that are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than the people providing such treatment, except that a physician or other appropriate professional of the student's choice may view them.

"Individually identifiable health information" refers to health information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and either the information identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.)


MCL 333.16177 et al. (S.B. 465) 400.100b (S.B. 466) 333.16221 et al. (S.B. 467) 15.243 (S.B. 468)

BACKGROUND

Under Sections 17010 and 17520 of the Public Health Code, for the purposes of ordering a presymptomatic or predictive genetic test, written, informed consent consists of a signed writing executed by the test subject or his or her legally authorized representative confirming that the physician or individual acting under the physician's delegatory authority has explained, and the test subject or representative understands, at a minimum, all of the following:

-- The nature and purpose of the test.
-- The effectiveness and limitations of the test.
-- The implications of taking the test, including the medical risks and benefits.
-- The future uses of the sample taken from the test subject in order to conduct the test, and the information obtained from the test.
-- The meaning of the test results and the procedure for providing notice to the test subject.
-- Who will have access to the sample and the information obtained from the test, as well as the test subject's right to confidential treatment of the sample and information.


If a test subject or his or her legally authorized representative signs a copy of the informed consent form, he or she is barred from bringing a civil action for damages against the physician, or individual to whom the physician delegated authority, based on failure to obtain informed consent for the test.

"Genetic information" means information about a gene, gene product, or inherited characteristic that is derived from a genetic test. "Genetic test" means the analysis of human DNA, RNA, chromosomes, and those proteins and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes. The term does not include a routine physical examination or a routine analysis, including a chemical analysis, of body fluids, unless conducted specifically to determine the presence, absence, or mutation of a gene or chromosome. A genetic test must be accepted generally in the scientific and medical communities as being specifically determinative for the presence, absence, or mutation of a gene or chromosome in order to qualify.

"Presymptomatic genetic test" means a genetic test performed before the onset of clinical symptoms or indications of disease. "Predictive genetic test" means a genetic test performed for the purpose of predicting the future probability that the test subject will develop a genetically related disease or disability.

ARGUMENTS (Please note: The arguments contained in this analysis originate from sources outside the Senate Fiscal Agency. The Senate Fiscal Agency neither supports nor opposes legislation.)

Supporting Argument The bills would ensure that records vital to the provision of individual health care were maintained, and that the information contained in such records was protected. Complete, accurate medical records help health care professionals assess patients' conditions correctly and prescribe the appropriate course of action. For this reason, it is critical that records are accessible. There have been reports of several cases in which a medical office closed and the provider simply abandoned records instead of making arrangements for their continued maintenance. In some cases, patient health was seriously compromised because important information, such as mammograms and x-rays, could not be located, or the patients had to repeat painful, expensive tests. Reportedly, people sometimes call the DCH looking for records when their providers go out of business. Occasionally, the Department is able to track down the records; usually, however, the DCH cannot help patients at all. Senate Bills 465 (S-2) and 466 (S-2) specify that a provider's responsibility to maintain the records would not end when the provider ceased to practice, helping to ensure that the provision of care was more seamless.


It is also essential that medical records are maintained and disposed of in a manner that protects their confidentiality. Health records can provide unscrupulous actors with the information they need to commit identity theft, one of the nation's most quickly growing crimes. Reportedly, in 2005, a Grand Rapids news station found patient records discarded in unlocked, unguarded dumpsters near various medical offices. The records contained a wealth of personal data, such as names, addresses, birthdates, and Social Security numbers, as well as diagnoses and treatment information. Misuse of such information can lead to denial of credit or insurance coverage, the loss of employment opportunities, and a stigma that can be difficult to erase. Additionally, inadequate security measures can undermine patients' confidence in their health care providers, causing them to withhold information that might be critical to prescribing the proper treatment. The requirements for maintaining and disposing of records under Senate Bills 465 (S-2) and 466 (S-2) would enhance accessibility and patient privacy.


The restrictions on the disclosure of health information under Senate Bills 467 (S-1) and 468 also would augment privacy protections. Genetic information in particular is vulnerable to misuse. As testing for more conditions becomes available, the potential for misuse of this information increases. Certain information relating to an individual's mental health, substance abuse, and HIV/AIDS status already is subject to heightened statutory protection. Senate Bill 467 (S-1) would acknowledge that genetic information is similarly sensitive and warrants additional protection.


Legislative Analyst: Julie Koval

FISCAL IMPACT Senate Bill 465 (S-2)

State-operated hospital facilities currently retain patient records for a period of 20 years after an individual is discharged, which makes it unlikely that the bill's record retention requirements would increase costs for State health facilities. Locally operated health facilities that currently do not retain patient information for seven years would see an increase in the cost of maintaining health records if this legislation were enacted.


The Department of Community Health would see an increase in administrative cost associated with collecting and storing information from medical providers who ended their practice on where patient information was transferred and how former patients could obtain this information. Also, the bill would permit the DCH to take steps to ensure that medical records were destroyed in a fashion that protected patient confidentiality. The Department could impose fees on health facilities and professionals to cover the cost of overseeing this process. The DCH also could see an increase in revenue from the $10,000 fine that could be imposed on health providers who did not adhere to the proposed medical record requirements.

Senate Bill 466 (S-2)

The bill would have an indeterminate fiscal impact on the State. The DHS Office of Children and Adult Licensing Programs in 2005 regulated 3,573 adult foster care facilities with a capacity of 47,366 adults in care. When the facility is in violation of record retention requirements, the provider is required to submit a plan of correction in order to retain the facility license. Under the proposed enforcement provision, the DHS would have to contract for disposal services as well as institute new administrative billing procedures. The information needed to determine the cost of these administrative changes is not presently available.

Senate Bills 467 (S-1) and 468

The bill would have no fiscal impact on State or local government.


Fiscal Analyst: Bill Bowerman
Constance Cole
David Fosdick

Analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent. sb465-468/0506