Newly Introduced Bill Proposes Chief Privacy Officer for Health Information Technology (i.e., Electronic Medical Records)

On February 13, 2009 – four days before the Stimulus Bill was enacted by President Obama – Senator Sheldon Whitehouse (D-Rhode Island) introduced Senate Bill 444, entitled “National Health Information Technology and Privacy Advancement Act of 2009.” This Bill follows on the heels of both HIPAA’s Privacy Rule (45 CFR Parts 160 and 164, Subparts A and E) and certain amendments in the Stimulus Bill (enacted on February 17, 2009 as Public Law No. 111-5) in that it provides specific detail about how the health information technology system would be created.

Among other things, this Act proposes the creation of a Corporation to coordinate the activities of various federal agencies and to effectuate the creation of a national program for health information technology. (Section 5.) The corporation would be required to be incorporated, within 180 days of the enactment of the Bill, by nine individuals whose skills and background are specified in the Act. (Id.)

Of particular interest in this Bill is the identification of a Chief Privacy Officer, along with a detailed specification of duties. (Section 5(d)(1).) Although the Stimulus Act provided that a Chief Privacy Officer be appointed within 12 months after the enactment of the Stimulus Act (i.e., by February 2010), the duties ascribed to this CPO were vague: “to advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other Federal agencies (and similar privacy officers in such agencies), with State and regional efforts, and with foreign countries with regard to the privacy, security, and data stewardship of electronic individually identifiable health information.” (Pub. L. No. 111-5 § 3001(e).)

In contrast, S. 444 provides more substantial detail about the duties of this Chief Privacy Officer: (i) “ensure that the use of technologies by the corporation sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;” (ii) ensure that all personal information kept in the system is maintained as required by the Privacy Act of 1974; (iii) “evaluate legislative and regulatory proposals involving the collection, use, and disclosure of personal information by the Federal Government;” (iv) report on proposed rules and procedures of the corporation, including the type of information collected and the number of people affected; and (v) provide an annual report to Congress on the corporation’s activities affecting privacy. (Section 5(d)(1)(B).) The corporation is only supposed to exist for ten years. (Section 5(h).)

This corporation – and implicitly the Chief Privacy Officer as the operating head of the corporation – would operate a national health information technology and privacy system and would be the gatekeeper to the data held in the system. The Bill contemplates that the corporation would provide data access both to individuals and to “authorized providers and payers of health care services” – as well as determine the rules for accessing the non-personally identifiable information in the system. (Section 5(f)(1)(B) and (C).)

Impact

Currently, individual providers and health plans maintain their own sets of their patient’s medical records. If one wanted a copy of his or her medical records from his or her family doctor, he or she could obtain a copy from the doctor. Hospital records are similarly kept by the hospitals. Each of these providers can also set up relationships with data repository centers (known as “business associates” under HIPAA) to manage the protected health information (PHI) of their patients. This system allows them to forward to an outside administrative organization any requests for access to a particular patient’s record – and thereby reduce some of the administrative burden of maintaining electronic medical records on the actual provider.

Both the Stimulus Act and this Bill (and perhaps others) contemplate the collection of these data on a national level, in a central repository. HIPAA’s Privacy Rule is apparently unaffected – “This title may not be construed as having any effect on the authorities of the Secretary [of Health and Human Services] under HIPAA privacy and security law.” (Pub. L. No. 111-5 § 3009(a)(1).) As a result, the national repository would similarly be required to keep as sacrosanct an individual’s personally identifiable information. Still, it’s a national repository – a centralized collection of all of the medical data relating to a particular individual.

The Bill was read twice and referred to the Senate Committee on Health, Education, Labor, and Pensions. See current status. It remains to be see whether this Bill will see any further action in Congress. Given the heightened interest in creating centralized electronic medical records, however, it is likely that a bill of this type, providing the administrative structure to implement the requirements of the Stimulus Bill, would indeed be enacted in the near future.

Newly Introduced Bill Would Require Shutter Sounds in Camera Phones

On January 9, 2009, Representative Pete King (R-New York) proposed H.R. 414 (Camera Phone Predator Alert Act), which requires camera phones to be manufactured in a way that broadcasts the shutter sound a “reasonable” distance when a user takes a picture. According to the findings within the Bill, “Congress finds that children and adolescents have been exploited by photographs taken in dressing rooms and public places with the use of a camera phone.” Section 2.

The Bill does not contain any definitions or standards, and seems to grandfather all existing phones already on the market. Indeed, the sound requirement would only be applied one year after the effective date of the Bill, should it be enacted. Specifically, the Bill requires that all camera phones manufactured after that date may not have any means for the user to disable sound. The applicable “sound” is defined rather generically: “a tone or other sound audible within a reasonable radius of the phone.” Section 3.

The Bill provides for enforcement by the Consumer Product Safety Commission, with civil penalties set forth in 15 U.S.C. § 2069. It is unclear whether this Bill, if enacted, would provide for any private right of action (say, by the person whose picture was taken using a soundless camera phone manufactured after the effective date).

This may also have a minor impact in preventing piracy in the copyright world, since it is quite easy to snap a picture using your camera phone in a museum or other private location of artwork that is presumably protected by copyright. If the sound on your phone is turned off, and if the flash does not activate, it’s possible that no one would know that you made a “copy” of a copyrighted work, perhaps in violation of the Copyright Act. (Taking a picture alone does not automatically result in a finding of copyright infringement – there are substantial factual inquiries that must be made before such a finding occurs.)

Oddly, Rep. Pete King’s press releases web site makes no mention of his introduction of this Bill – although it does reference other Bills that he has introduced or supported. According to Thomas, the Bill was read into the Record when it was introduced and has been referred to the House Committee on Energy and Commerce.

Privacy Resources on the Internet

Welcome to the Privacy and IP Law blog. As an initial matter, below are several resources on the Internet where you can find detailed information about privacy law. It’s by no means exhaustive, but it should give you a start to understanding some of the recent debate on privacy issues in the U.S.:

Some of these links also appeared in the inaugural issue of “International Data Protection and Online Security,” a joint newsletter of the ABA’s Section on International Law and the Online Security and E-Privacy Committee of the ABA’s Intellectual Property Law Section, of which I am a member of the editorial board.