Newly Introduced Bill Proposes Chief Privacy Officer for Health Information Technology (i.e., Electronic Medical Records)

On February 13, 2009 – four days before the Stimulus Bill was enacted by President Obama – Senator Sheldon Whitehouse (D-Rhode Island) introduced Senate Bill 444, entitled “National Health Information Technology and Privacy Advancement Act of 2009.” This Bill follows on the heels of both HIPAA’s Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) and certain amendments in the Stimulus Bill (enacted on February 17, 2009 as Public Law No. 111-5) in that it provides specific detail about how the health information technology system would be created.

Among other things, this Act proposes the creation of a Corporation to coordinate the activities of various federal agencies and to effectuate the creation of a national program for health information technology. (Section 5.) The corporation would be required to be incorporated, within 180 days of the enactment of the Bill, by nine individuals whose skills and background are specified in the Act. (Id.)

Of particular interest in this Bill is the identification of a Chief Privacy Officer, along with a detailed specification of duties. (Section 5(d)(1).) Although the Stimulus Act provided that a Chief Privacy Officer be appointed within 12 months after the enactment of the Stimulus Act (i.e., by February 2010), the duties ascribed to this CPO were vague: “to advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other Federal agencies (and similar privacy officers in such agencies), with State and regional efforts, and with foreign countries with regard to the privacy, security, and data stewardship of electronic individually identifiable health information.” (Pub. L. No. 111-5 § 3001(e).)

In contrast, S. 444 provides more substantial detail about the duties of this Chief Privacy Officer: (i) “ensure that the use of technologies by the corporation sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;” (ii) ensure that all personal information kept in the system is maintained as required by the Privacy Act of 1974; (iii) “evaluate legislative and regulatory proposals involving the collection, use, and disclosure of personal information by the Federal Government;” (iv) report on proposed rules and procedures of the corporation, including the type of information collected and the number of people affected; and (v) provide an annual report to Congress on the corporation’s activities affecting privacy. (Section 5(d)(1)(B).) The corporation is only supposed to exist for ten years. (Section 5(h).)

This corporation – and implicitly the Chief Privacy Officer as the operating head of the corporation – would operate a national health information technology and privacy system and would be the gatekeeper to the data held in the system. The Bill contemplates that the corporation would provide data access both to individuals and to “authorized providers and payers of health care services” – as well as determine the rules for accessing the non-personally identifiable information in the system. (Section 5(f)(1)(B) and (C).)


Currently, individual providers and health plans maintain their own sets of their patient’s medical records. If one wanted a copy of his or her medical records from his or her family doctor, he or she could obtain a copy from the doctor. Hospital records are similarly kept by the hospitals. Each of these providers can also set up relationships with data repository centers (known as “business associates” under HIPAA) to manage the protected health information (PHI) of their patients. This system allows them to forward to an outside administrative organization any requests for access to a particular patient’s record – and thereby reduce some of the administrative burden of maintaining electronic medical records on the actual provider.

Both the Stimulus Act and this Bill (and perhaps others) contemplate the collection of these data on a national level, in a central repository. HIPAA’s Privacy Rule is apparently unaffected – “This title may not be construed as having any effect on the authorities of the Secretary [of Health and Human Services] under HIPAA privacy and security law.” (Pub. L. No. 111-5 § 3009(a)(1).) As a result, the national repository would similarly be required to keep as sacrosanct an individual’s personally identifiable information. Still, it’s a national repository – a centralized collection of all of the medical data relating to a particular individual.

The Bill was read twice and referred to the Senate Committee on Health, Education, Labor, and Pensions. See current status. It remains to be see whether this Bill will see any further action in Congress. Given the heightened interest in creating centralized electronic medical records, however, it is likely that a bill of this type, providing the administrative structure to implement the requirements of the Stimulus Bill, would indeed be enacted in the near future.