CCHC: Submit public comments-medical privacy rule

MEDICAL PRIVACY

PRIVACY RULE CONCERNS REMAIN

On April 14, 2001, the medical privacy rule allowing government, researcher, and law enforcement access to medical records without patient consent or search warrant was allowed to move forward to full implementation by 2003 for large organizations and 2004 for small organizations. The U.S. Department of Health and Human Services intends to spend the next 12 months looking at and making revisions.

TO READ FINAL RULE: Scan down the page to Health and Human Services and click on the eight (8) sections of approximately 50 pages each in PDF format (368 pages) or 1,500 pages in WordPerfect format (TEXT)
To read just the text of the regulations or specific sections (EXCLUDING preamble, explanations, and response to public comments, begin on page 82798 (last or second to last group of pdf pages).

Remaining Concerns:

Ą CONSTITUTIONAL VIOLATION: DISCLOSURE TO GOVERNMENT REQUIRED: All providers, health care institutions, health plans, and data clearinghouses must provide the Department of Health and Human Services with access to patient medical records, books, office files, compliance reports and other data at ANY time or on ANY day the Department makes a demand. No patient consent or search warrant is required. [§160.310: Responsibilities of covered entities]

Ą GOVERNMENT AND RESEARCHER ACCESS PERMITTED WITHOUT PATIENT CONSENT: Without patient consent, the regulation will allow law enforcement officers, public health officials, medical researchers, public policy researchers, organ transplantation coordinators, and other state and federal agencies to access medical records--if the health plan, hospital, doctor, data clearinghouse, or other health care professional or health care facility is willing to release the information. The data can be analyzed, monitored, used to create public policy, and used to build regional and national immunization and disease-specific databases. Patient consent in neither necessary or required. [§164.512: Uses and Disclosures for which consent, an authorization, or opportunity to agree or object is not required]

Ą CONSTITUTIONAL QUESTION: In the text of this final regulation, Donna Shalala, the former Secretary of Health and Human Services (HHS) stated that because the regulation was permissive--did not REQUIRE disclosures to the government--the citizen's Fourth Amendment rights against unreasonable and unwarranted search and seizure are not infringed. However, providers may fear that those resistant to state and federal requests may become the object of federal and state audits. In addition, financial pressures from provider taxes and poor government and HMO reimbursements for care could encourage sharing of patient data without patient consent. It must be remembered that Shalala claimed in her 1997 MEDICAL PRIVACY recommendations to Congress that patients had a public responsibility to disclose the data to researchers and governments for "national priority activities." [§164.512: Uses and Disclosures for which consent, an authorization, or opportunity to agree or object is not required]

Ą GOVERNMENT NOT BOUND BY PRIVACY RULE: The regulation does not regulate the re-use or re-disclosure of individually-identifiable data once government or law enforcement agencies obtain the data, because Congress, through the 1996 Health Insurance Portability and Accountability Act (HIPAA), did not require it. Therefore law enforcement agencies, public health agencies, health care oversight agencies, government databases, and their contractors can share or disclose the data at their own discretion. [§160.103: Definitions (Government entities not included in definition of "covered entity")]

Ą ACCESS TO CARE CONDITIONED ON CONSENT: Although health plans and health care practitioners must obtain patient consent to access and share medical record data for payment, treatment or health care operations, they are allowed to condition enrollment in a health plan--or treatment--on the patient's willingness to sign on the dotted line. Without a signature, care and coverage can be denied. [§164.506: Consent for uses or disclosures to carry out treatment, payment, or health care operation.]

Ą BROAD HEALTH PLAN ACCESS: Payment, Treatment and Health care operations are broadly defined to include not only payment and treatment, but also quality assessment, and improvement activities, outcomes evaluation, development of clinical guidelines for doctors to follow in the provision of care, prior authorization, medical necessity determinations, utilization review, population-based activities relating to improving health or reducing health care costs, protocol development, case management, and care coordination, marketing treatments, "and related functions that do not include treatment." Included also are reviewing practitioner and provider performance, conducting training, accreditation, certification, licensing, or credentialing, underwriting, premium rating, medical review, litigation, auditing, fraud and abuse detection, compliance programs, business planning and development, customer services, data analyses for policy holders and plan sponsors, internal grievance procedures. This is not a complete list. [§164.501 Definitions (includes separate definitions for health care operations, payment and treatment)]

Ą MARKETING ACCESS: Health plans, doctors, hospitals, and other holders of private health data are allowed by the current regulation to use patient information to market products, medications, and alternative treatments. (ie. inhaler advertisements for asthmatics, condoms for the sexually-active, diapers for pregnant women) If patients do not want these advertisements, patients can opt-out, but as with telemarketing phone contacts, they may find it necessary to opt-out of many individual marketing companies. [§164.501 Definitions (includes "contacting of health care providers and patients with information about treatment alternatives" in the definition of health care operations)]

Ą ALL-ENCOMPASSING DATA ACCESS: Although the HIPAA statute authorizing the writing of the regulation applied to health data maintained or transmitted in electronic format, the regulation appears to encompass all data in paper or oral form as well, thereby permitting access by the above listed groups to all data and limiting options for those with privacy concerns who want to use paper records to shield their private lives. [§160.103: Definitions ("Health information means any information, whether oral or recorded in any form or medium...)]

Ą NEW PATIENT RIGHTS: In the regulation as it now stands, there are five new rights, although because four are conditional, their designation as "rights" is inappropriate.
- The right to be informed of a practitioners' and providers' data practices. [§164.520: Notice of privacy practices for protected health information] - The right to request privacy protection [§164.522: Rights to request privacy protection for protected health data (request, not obtain)] - The right to review and copy one's own medical record. [§164.524: Access of individuals to protected health information] - The right to amend one's own medical record. [§164.526: Amendment of protected health information] - The right to know who has accessed one's medical record. [§164.528: Accounting of disclosures of protected health information

Only the first right is not conditional. The others can be limited by such things as anticipation of litigation, physician or institution choice, clinical research trial involvement, the provider's assessment of how knowing the information might impact the patient, assessment of accuracy of the requested amendment to the record, and government-imposed delays due to government investigations.

Ą NO PRIVATE RIGHT OF ACTION: Individuals are not given the right to sue those who violate their right to privacy. In fact, the words "privacy" and "confidentiality" are not defined in the regulation. Violators are subject to government sanctions when patients complain and violations are discovered. Patients are not personally compensated. [§164.530: Administrative requirements]

Ą DEIDENTIFIED DATA NOT PROTECTIVE: The Institute of Medicine has reported that deidentified data can sometimes be easily reidentified when cross-matched with data in other public databases. It therefore may not be anonymous data (data incapable of being reidentified). Therefore, patient consent should be required for all sharing of patient data.[§164.514: Other requirements relating to uses and disclosures of protected health information]

Ą PATIENT CONSENT: Patient consent should always be opt-in, not opt-out. If opt-out, patients are forever monitoring whether the various staff of the various providers and facilities are remembering NOT to send in information on the patient or the patient's family. The burden must instead be on the providers to ask for and check for patient consent prior to sending data anywhere. [§164.506: Consent for uses or disclosures to carry out treatment, payment, or health care operation.] and [§164.522: Rights to request privacy protection for protected health data (request, not obtain)]
Ą CHILD/PARENT BARRIER: Although President Bush has signalled his intent to secure the parents right to see the medical records of their minor children (unless state law forbids it), the rule as released December 28, 2000, would not allow parents to have access to the medical record information of their minor children. In addition, children would be able to receive treatment without parent consent or knowledge. [§164.502(g)(1) Standard: Personal representatives]


National Health Information Infrastructure
The Workgroup on Electronic Data Interchange (WEDI) is a group that lists 214 members. This group of government agencies, data collection and transmission corporations, and insurance and health care industry members have been working hard to implement a national health information system. See a copy of their short letter to the Secretary of the Department of Health and Human Services for a better understanding of the focus and intent of this group which was authorized by Congress as part of the Administrative Simplification section of the 1996 Health Insurance Portability and Accountability Act (HIPAA).
WEDI Members

Citizens' Council on Health Care
1954 University Avenue West, Suite 8, St. Paul, MN 55104
Phone: 651.646.8935 / Fax: 651.646.0100, e-mail