Following the 2000 General Assembly Session, the Senate Committee on Education and Health requested the Joint Commission on Health Care (JCHC) to study issues relating to patient consent for release of medical records, ownership of medical records, and patient confidentiality. A copy of the letter from the chairman of the Senate Education and Health Committee to the JCHC is attached as Appendix A. The JCHC subsequently approved this study request. According to the letter from the chairman of the Senate Education and Health Committee, the study was originally requested by the patron of Senate Bill (SB) 702, which sought to amend portions of Virginia law concerning the privacy and ownership of patient medical records. SB 702 was stricken from the docket at the request of the patron, following objections to the bill that were raised by several interested parties. In so doing, the patron of SB 702 requested that the issues presented by the bill be referred to the JCHC for study. A copy of SB 702 is attached as Appendix B.

Based on our research and analysis during this review, we concluded the following:

• The health care delivery system depends upon the collection, analysis, and distribution of detailed information concerning patients.

• The widespread use of and need for personal health information has, however, inspired debate across the country concerning the appropriate degree of external access to an individual's medical and health-related information.

• States have typically sought to protect a patient's privacy and ensure he has an adequate level of access to his own information while, at the same time, allowing appropriate access to personal information by third parties for essential health care operations and to promote important public policy objectives.

• There are several medical record and health information privacy statutes in Virginia. These include, but are not limited to, § 32.1-127.1:03, which governs records held by health care providers; and § 38.2-600 et seq., which governs records held by insurance entities. Health maintenance organizations are governed by the provisions of both these statutes.

• Virginia's health information privacy and access statutes are comparable to those of most other states. For example, the number and types of circumstances under which personal medical information may be disclosed without an individual's written authorization are generally consistent with most other states.

• There are some types of provisions that, while not found in Virginia's patient health records privacy statute (§ 32.1-127.1:03), are contained within recommendations developed by several national organizations. These types of provisions include: (1) a patient's right to not only request copies of their medical records but also to request an opportunity to inspect and examine the original records; (2) a patient's right to request that information in the medical record be corrected, amended, or supplemented; (3) a requirement that a health care provider notify patients of the providers' policies and practices concerning the collection and disclosure of personal health information; and (4) specific authorization for all types of providers to charge a reasonable fee for providing requested medical information.

• The following organizations have recommended that the types of statutory provisions described above be adopted: (1) The Health Privacy Working Group (Joint Commission on Accreditation of Health Care Organizations, National Committee for Quality Assurance, Partners Healthcare System, Intermountain Healthcare, IBM Corporation, National Association of People with AIDS, Consortium for People with Disabilities, and others) have issued "Best Principles for Health Privacy"; (2) the National Conference of Commissioners on Uniform State Laws has adopted a Uniform Health Care Information Act and recently proposed several amendments to that model act; and (3) the United States Department of Health and Human Services has promulgated proposed regulations (which could potentially pre-empt state law) governing privacy of and access to personal health information.

• The Virginia Department of Health Professions received 114 complaints concerning either "records release" or "confidentiality breach" from April 1999 - August 2000. Seventy-five of the complaints have a final disposition (66 - no violation, nine - undetermined).

• It is difficult to identify any strong evidence indicative of health information privacy or access problems within Virginia.

A number of policy options were offered for consideration by the Joint Commission on Health Care regarding the issues discussed in this report. These policy options are listed on pages 41-42.

Public comments were solicited on the draft report. A summary of the public comments is attached at Appendix C.

On behalf of the Joint Commission on Health Care and its staff, I would like to thank the Virginia Hospital and Healthcare Association, the Medical Society of Virginia, the Office of the Attorney General, the Virginia Department of Health Professions, and the Virginia Bureau of Insurance for their cooperation and assistance during this study.

Patrick W. Finnerty
Executive Director
December, 2000