| |
|
PUBLIC COMMENTS
Outcome and Assessment Information System Privacy Notice
June 29, 1999
Director
Division of Data Liaison and Distribution
Health Care Financing Administration
Room N2-04-27
7500 Security Boulevard
Baltimore, Maryland 21244-1850
RE: DOCID: fr18jn99-121
Notice of new system of records
Dear Sir or Madam:
At your request written in the June 18, 1999 notice, we are
submitting comments on the proposed new system of records titled
'Home Health Agency Outcome and Assessment Information Set,
HHS/HCFA/CMSO, 09-70-9002.' We will make comments in general and
specifically regarding the proposed 'routine use' portion of the
system of records.
Citizens' Council on Health Care is a St. Paul, Minnesota -
based national 501(c)3 organization whose mission is to engage and
empower the public in the health care debate through sharing of
information, policy analysis, and alternatives.
We will make our comments in order of each section of the
notice:
EFFECTIVE DATES
We do not support a waiver of the 40-day advance notice period
for this system of records. The public is not fully aware of the
OASIS system and should receive a full, if not expanded, period
for comments.
SUPPLEMENTARY INFORMATION
The Glossary of Terms limits the list of identifiers to
patient's name, social security number, Medicare number and
Medicaid number. This list should be expanded to include address,
city, state, zip code, date of birth, age, sex, and any other
personal or medical records identification numbers. Given the
nature of the questionnaire, the names of the clinic, health plan,
doctor, high school, college, and identifying information of
relatives should be included as identifying information that is
masked or deleted. Cross matching of data to identify a person can
be done without a name or a social security number if other
demographic and historical identifiers remain. NOTE: It is not
lawful for the government to ask for a social security number
without Congressional approval.
The list of OASIS information should not include the
additional identifiers that we have listed above.
The notice's definition of non-identifiable information is a
misnomer. The notice itself validates this. Under III 'Proposed
Routine Use Disclosures' the agency recognizes the possibility of
identification saying "...our policy will be to prohibit release
even of non-identifiable data, beyond the seven listed categories,
if there is a possibility that an individual can be identified
through implicit deduction..." Clearly, by HCFA's own admission,
the masking of the four identifiers will not protect patient
privacy or prevent individual identification.
STATUTORY AND REGULATORY BASIS
Our reading of Section 1891 of the Social Security Act does
not require the completion of a standard, valid, patient
assessment data set for every patient, nor does it permit HHA to
perform the assessment if there is no patient consent. Instead it
stated that a sample of individual shall be surveyed, but only
with the consent of these individuals. Also, HCFA's interpretation
of the word 'individual' to include non-Medicare and non-Medicaid
patient appears overreaching.
The notice states that OASIS is the "backbone of the home
health prospective payment system" for Medicare and Medicaid, and
while HCFA may choose to use OASIS to determine appropriate
payments for the subsidized population, there is no obligation on
the part of private patients to contribute to the database. Yet,
OASIS regulations seek to collect data on all patients in the home
health system. There is no statutory basis for coercion of
non-subsidized patients into the federal data collection process.
In fact, the Fourth Amendment prohibits such collection without
patient consent.
PURPOSE FOR SYSTEM OF
RECORDS
It is a clear overstepping of federal law for HCFA to claim an
obligation for "ensuring HHAs are providing the highest quality of
care for the entire agency and for each individual patient."
HCFA's responsibility is for the subsidized patient. You have
stated that home health care is difficult to oversee because
services are in the home. This may be true, however, this does not
bestow upon HCFA the power to invade the privacy and the
patient-practitioner relationship of those for whom HCFA does not
provide funding for home health services. HCFA's access to
information should be limited to "monitor[ing] the quality of care
it purchases for its beneficiaries" as stated in your final
statement of this section.
AGENCY POLICIES, PROCEDURES, AND
RESTRICTION ON THE ROUTINE USE
As we understand the purpose of this notice, HCFA is alerting
the public to OASIS' impact on privacy and giving the public an
opportunity to comment. In addition, it is stating to whom the
OASIS information will be given. Accordingly, the notice states
that the Privacy Act "permits us to disclose information without
an individual's consent if the information is to be used for a
purpose which is compatible with the purpose(s) for which the
information was collected" and that such disclosures are known as
'routine use.'
Given that the purported purpose of OASIS exceeds federal
statute, we believe that the privacy notice is based on a faulty
foundation. Therefore, unless the information is collected solely
from consenting Medicare and Medicaid patients who receive a
subsidy to pay for their home health services, and solely to a
sample of those patients, the OASIS data set and collection system
should not receive a seal of approval through the Privacy Act of
1974.
ENTITIES WHO MAY
RECEIVE DISCLOSURES UNDER ROUTINE USE
While the notice states that 'only' seven entities are slated
to receive routine use disclosures of OASIS data, the seven
entities listed are broad categories which present a number of
concerns to both subsidized and private patients.
Government Access: You have granted access to any
agency or employee of the United States Government or the
Department of Justice, or any court or adjudicatory body if these
entities are a party to litigation or 'have an interest in such
litigation.' This is broad, allows extensive intrusion by federal
officials, may place the patient at a disadvantage in litigation,
and does not follow Fourth Amendment restrictions, particularly
for those whose health care services are not subsidized by the
Government. In addition, we are not certain that entitlement
programs completely void Constitutional protections for
individuals, particularly if the individuals have no choice but to
accept the entitlement as in the case of Medicare.
Government Contracts: Since you would permit anyone
with a contractual agreement with HCFA to access OASIS data
without consent, this opens up access under any number of
functions, to any number of people, which cannot be fully
understood or appreciated by the public. One assumes that payment
operations, outcomes research, fraud investigations, quality
assessments, peer review, data warehousing, tracking, statistics,
and other functions would be included. This would substantially
increase the number of individuals with unfettered access to
personal and medical data, including private, for-profit, and
not-for-profit organizations and foundations.
State Agencies: State officials would be granted
access to information for state government oversight of patient
care, including data on patients who are residents of the state,
but receive care outside the borders of the state. The effect of
this tracking system is to completely prohibit privacy. No
patient will be allowed to privately receive home health services
in or outside his state of residence without the state government
being informed. This violates the Fourth Amendment.
Agencies Administering Subsidized Health Care: For
purposes of evaluating and performing payment, treatment and
coverage functions of Medicare and Medicaid, this disclosure of
OASIS data solely on Medicare and Medicaid patients appears the
most appropriate. In the evaluation and monitoring of care
provided by HHAs, the information disclosed should be limited to
the subsidized population.
Peer Review Organization: As previously stated, the
monitoring of care should be limited to information on subsidized
populations. HCFA presumes responsibility that is not theirs when
it seeks to access and use data on all home health patients for a
summary report "about the nation's home health care for release to
beneficiaries."
Research: As Minnesota legislators demonstrated in a
1996 medical records law, researchers should not have unlimited
unconsented access to medical records. They must ask the patients
for consent. Yet this routine use would allow individuals, health
plans, insurance companies, pharmaceutical organizations,
non-profit groups, foundations, and others to access individual
psychological, behavioral, health, relational, medical, and
educational data without consent.
This invasion of privacy will skew the very research
conducted. It will permit faulty research conclusions and the
formulation of inaccurate and inappropriate policy as a result. It
has recently been reported in a California Healthcare Foundation
survey that patients already alter or withhold information from
providers to protect their privacy.
It should be noted here that researchers will not know which
information is supplied by the patient and which--when the patient
refuses to respond--is filled in by a therapist according to their
best professional judgment and observation. Accuracy will be
sadly lacking and the possibility of professional or institutional
bias rampant. The potential for increased federal matching funds,
increased reimbursement, or research funding may affect the
providers response for each section of the questionnaire. The
patient may find himself as a pawn in pursuit of HCFA funding; a
pawn that may experience insurance or employment discrimination as
a result of faulty information permanently recorded on a federal
database.
In section VI 'Effect of the Proposed System...' HCFA makes it
clear that inaccurate data "could result in the wrong
reimbursement for services and a less effective process for
assuring quality of services." Yet in the notice for a revised
regulation of OASIS, HCFA allows professionals to enter data that
fits their professional judgment and allows patients to refuse to
respond. One assumes that inaccuracy will abound because of the
inherent privacy invasion of the OASIS system and the obvious
distortions of professional opinion.
In addition, since financial information will continue to be
collected and encoded at the HHA level, future regulations or law
may attempt to include that data at the federal level as well.
Congressional Access: Access should be limited by the
constituent and given only to a Member of Congress with a specific
and limited consent received by HCFA from the constituent. It is
entirely possible that a Member of Congress could send a letter to
HCFA about a constituent that the Member is merely seeking
information on, including a potential political opponent. The
constituent may also not want the Member to know other medical,
psychological, relational details about his life that may be
included in whatever data HCFA officials might decide is
'sufficient.'
SECURITY
One short note. Clearly security is difficult for government
agencies to achieve. The IRS has been twice cited for unauthorized
employee access to data on U.S. citizens. It is doubtful that HCFA
would be able to limit or control access with any greater success.
In addition, encrypted information in not unidentifiable. The
identifiers remain attached and decryption keys can be used to
identify the information. If the keys are escrowed by the
government or a public-private partnership with the government,
the information can be decrypted without the knowledge of anyone
affected. The records are not secure just because they are
encrypted. As stated in the CDC handout titled Summary of Fifteen
Key Action Steps: Confidentiality, Community Immunization
Registries Manual, Chapter II: Confidentiality, January 28, 1997:
"Recognize that absolute protection of electronically stored data
on individuals from inappropriate disclosure or abuse is not
possible. The only data that cannot be disclosed is that which is
never collected."
EFFECT...ON INDIVIDUAL
RIGHTS
That HCFA "anticipates no adverse effect on any of these
[individual privacy or other personal or property] rights" and
"does not anticipate an unfavorable effect on individual privacy
as a result of the disclosure of information relating to
individuals" is decidedly presumptuous. OASIS is in and of itself
a violation of privacy rights, an unauthorized access to personal
information on citizens by the government.
In addition, the criminal penalties cited for unauthorized
access must first be proven--an expensive proposition for
individuals. These penalties have obviously not stopped IRS
employees from unauthorized access and will likely not stop HCFA
employees either. There is potential as well for secondary
disclosure by the seven entities, and the language for imposition
of penalties does not appear to include Members of Congress or
those entities accessing information for peer review or research.
Thank you for your consideration of our comments. You may
contact our office with questions at any time.
Sincerely,
Twila Brase, R.N., P.H.N.
President
|
 |
Citizens' Council on Health Care
1954 University Avenue West, Suite 8, St. Paul, MN 55104
Phone: 651.646.8935 / Fax: 651.646.0100, e-mail
|
| |
