Leahy Announces Agreement On Privacy Provisions In Health IT Bill

WASHINGTON (Wednesday, May 14, 2008) – Sen. Patrick Leahy (D-Vt.) today announced a breakthrough in the impasse over privacy provisions in the Wired for Health Care Quality Act, a bill sponsored by Sens. Edward Kennedy (D-Mass.) and Michael Enzi (R-Wyo.) to help establish a national health information technology system.  Leahy, a longtime advocate for personal privacy protections, had expressed concerns that the bill lacked adequate privacy protections for patients.

Leahy has been working with Kennedy, Enzi, and others to strengthen the privacy and security protections in the legislation.  Last year, Leahy and Kennedy introduced the Health Information Privacy and Security Act, a bill that would create new privacy safeguards to better protect patient’s health information.  The Leahy-Kennedy bill would impose criminal and civil penalties for unauthorized disclosure of sensitive personal information.  During the negotiations to improve the Wired Act, Leahy secured a commitment from Kennedy, who chairs the Health, Education, Labor and Pensions (HELP) Committee, to work with him on a Judiciary Committee hearing on healthy privacy to be held in June.

“We have worked for months to secure stronger privacy protections in the Wired Act,” said Leahy.  “I thank Senator Kennedy and Senator Enzi for their willingness to address these important issues.  No information is more personal than an individual’s health records.  In the Information Age, it is essential to protect the privacy and security Americans’ most sensitive personal data from unauthorized disclosure online and through commercial databases.  Today’s agreement is an important first step in accomplishing this goal, and I look forward to continuing to work with Senator Kennedy to examine ways to better protect Americans’ health privacy.”

Leahy’s privacy provisions will be incorporated into a substitute bill that Kennedy and Enzi are expected to offer later this week.  The Leahy-authored language in the Wired Act would:

  • Strengthen privacy by eliminating the loophole in the Wired Act that would have allowed operators of personal health information databases to give sensitive health records to virtually anyone under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
  • Eliminate loopholes under the HIPAA Privacy Rule that currently allow certain healthcare providers to use or disclose patient health records for marketing purposes.
  • Direct the Secretary of Health and Human Services to submit a report to Congress containing recommendations for privacy and security protections for personal health records.
  • Provide a broad right of access to inspect records held in electronic form and receive an electronic copy of the record.  Under the HIPAA Privacy Rule, individuals have a right to access their medical records, but there is no clear right to an electronic copy of patient’s health records.
  • Strengthen congressional oversight over federal health privacy compliance and enforcement of the HIPAA Privacy Rule.


  • Direct the Secretary of Health and Human Services to ensure more public transparency and stronger privacy obligations on health care providers who contract and outsource patient health records to third-party providers, including any providers operating in a foreign country.


  • Direct the Secretary of Health and Human Services to provide for the development of standards and protections to ensure that consumers are notified when their sensitive electronic personal health information has been compromised.


The Leahy-authored additions to the Wired Act have the support of numerous privacy and consumer organizations, including the Center for Democracy and Technology, Microsoft, AARP, Consumers Union, and the Consumer Partnership for E-Health.


# # # # #

Press Contact

David Carle: 202-224-3693