| |
|
PUBLIC COMMENTS
Public Comments:
Proposed Rule for Security and Electronic Signature Standards
October 13, 1998
Citizens for Choice in Health Care
1954 University Ave. W., Suite 8
St. Paul, MN 55104
Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0049P
P.O. Box 26585
Baltimore, MD 21207-0519
Re: Proposed Rule HCFA-0049P
To Whom It May Concern:
In response to HCFA's request for public comment, Citizens for
Choice in Health Care is submitting the following comments on the
proposed rule for
Security
and Electronic Signature Standards: HCFA-0049-P.
Citizens for Choice in Health Care (CCHC) is a non-profit
organization which was founded in 1995 to support individual
choice and privacy in health care decisions for all citizens.
Supported by members and contributors across the nation CCHC seeks
to protect patient and medical record confidentiality, to
safeguard the critical patient-doctor relationship, and to support
individual freedom and responsibility in all health care
decisions.
Public Comments by CCHC
GENERAL COMMENTS
CCHC cannot support the proposed security standard because it
does not establish a security standard as mandated, nor is it
enforceable. Rather the Secretary of DHHS has proposed to allow
each organization to create a system based on its own
prioritization of risk, cost, confidentiality and security.
The proposed rule permits health care entities to determine
their own security needs and write their own security standards:
"we would require that each affected entity assess is own security
needs and risks and devise, implement, and maintain appropriate
security to address its business requirements. How individual
security requirements would be satisfied and which technology to
use would be business decisions that each organization would have
to make." This, along with the federal pre-emption, leaves the
protection of individually-identifiable patient information in a
tenuous position.
This proposal leaves the average, individual citizen at the
mercy of health care corporations which will be allowed to assess
security needs according to business and financial considerations.
Such considerations may or may not place emphasis on the patient's
need, and the doctor's responsibility, for medical confidentiality
and the security of medical records information.
In opposition to Shalala's 1997 public statement introducing
her privacy recommendations ("We still have a golden opportunity
to safeguard our age-old right to privacy in a brave new world of
computers and biology." September 11, 1997, Senate Committee on
Labor and Human Resource), the proposed rules states, "The federal
government should work with industry to promote and encourage an
informed public debate to determine an appropriate balance between
the primary concerns of patients and the information needs of
various users of health care information.
The Secretary has already moved to implement national
identifiers as required by HIPAA and universal code sets leading
to computerized medical records are in process, but no reliable
security standard to protect citizens made vulnerable by plans for
national IDs and computerized medical records has been introduced.
Simply stated, there is no security in this "security standard."
We do not believe this type of proposed standard was the
intent of Congress when Administrative Simplification was enacted.
The security standard was to be reliable and enforceable enough to
assure every concerned citizen that information under unique
health care identifiers would be secure.
INTRODUCTION/APPLICABILITY
The Corporate Entity exemption seems broad-reaching. Entities
which are wholly owned rarely occupy the same physical space or
boundaries. In fact, many entities own other health care
organizations, clearinghouses, hospitals, or clinics which are
miles, if not states away from each other. As health care is
further consolidated as in Minnesota, there may eventually be
little need to interact with other non-corporate entities. This
exemption would leave increasing amounts of medical information
open to interception. The rules could be an exemption for
information shared within the same physical/building boundaries,
but the exemption should not go beyond that.
In addition, the exemption for Federal and State agencies and
their contractors leaves the medical information of a growing
population (Medicare, Medicaid, KidCare) vulnerable to access. We
would recommend that this exemption be deleted. Private networks
owned by public entities are not invincible to hackers or
interception as history has recently shown at the Pentagon, the
IRS and the Department of Defense.
DEFINITIONS
The new (14th) definition of health plan ("any other
individual or group health plan, or combination thereof, that
provides or pays for the cost of medical care") could inhibit the
small groups that pool individual money together to pay for the
medical needs of the members of the group (religion-based
organizations) This addition should either be deleted or should
specifically exempt those types of groups. DHHS has not been given
authority to expand the Act.
It appears that the definition of standard as defined by the
Act has been changed significantly, and if so, the Secretary
should be limited to the statutory definition.
According to the Act there are nine transactions. The proposed
rule adds "coordination of benefits" and "other transactions as
the Secretary may prescribe by regulation." This expands beyond
the statute. No other transactions should be added without public
comment. Coordination of benefits could be interpreted as totally
inclusive for all communications. Coordination of benefits should
be deleted from the rules, unless it is more strictly defined.
"First Report of Injury" has been defined by the proposed
rules to allow access to individually-identifiable information for
statistical, legal, claims, and risk management processing. This
category should have been defined in the Act, as we believe that
DHHS has taken liberty to allow law enforcement, researchers,
state and federal agencies, health plans, and others to access
information without the consent of the patient. We would advise a
much more restricted definition which includes only health plans
when a person presents for care using the card/resources of the
health plan. Or we would suggest that the Secretary return to
Congress for specific definition of the term.
EFFECTIVE DATES
DHHS should not be allowed to adopt a modification without
public comment, and only after the comment period should effective
dates be specified. These dates should be at least 180 days,
depending on the comments solicited.
SECURITY STANDARD&emdash;GENERAL
As we stated in the General Comments section, the Secretary,
because there is currently no single standard, has opted not to
create one, but to let individual businesses create their own
using a set of requirements which they can determine to what
degree they will follow. The providers and the patients, who are
vulnerable to the interests and financial strength of large health
care entities are left unprotected by this proposed standard. The
financial bottomline in 'business decisions' would likely
determine the extent to which specific features were implemented.
A 'general set of practices' does little to assure implementation
of a secure system. And finally, the statement "Inherent in this
approach is a balance between the need to secure health data
against risk and the economic cost of doing so" is understood by
the average citizen to mean that security procedures will be
minimal.
Health care entities will find it justifiably difficult to
ascertain the meaning of compliance with this standard. This,
coupled for the threat of penalties for non-compliance, will put
undue stress on smaller entities which have more to lose and fewer
resources to comply.
Although there are no enforcement mechanisms included in the
proposed rule, health care entities can enforce security standards
on others. This could mean that smaller entities would be required
to follow the mandates of larger entities without knowing whether
or not the larger entity even follows its own requirements. These
could be considered anti-competitive regulations in that they may
eventually force smaller entities either out of business or under
the umbrella of the larger entity due to the financial burden and
administrative hassle. Such result would only increase the reach
and size of corporate entities, further diminishing the protection
of patient information.
The proposed rule states, "The proposed security standard
consists of the requirements that a health care entity must
address... and the implementation features that must be present."
Far better to have said that the requirements were actually
required, not just required to be addressed. Then the rule states,
"The relative importance of the requirements and implementation
features would depend on the characteristics of each
organization." Such vague requirements would not pass the muster
of typical contractual agreements, but will allow health care
entities to engage in minimal protection of patient information.
ADMINISTRATIVE PROCEDURES
While the implementation category of the matrix certainly
highlights mechanisms necessary for security of confidential
information, each individual person/employee is a weak link in the
system. Whether there is internal or external certification,
information is never secure as long as any person has access to
it. Therefore the more people with access, the less secure it is.
In addition, one needs to question the ability of individual
organizations to adequate self-police their own security systems
as there can be a conflict of interest between costs, time
constraints, administrative hassle, and ethical obligations.
The Chain of Trust requires trust, something that cannot be
easily validated, and is less trustworthy under the pressure of
competition. We do not find this to be a viable security feature.
There is no enforcement actions or penalties for broken
agreements.
Personnel Clearances may be highly invasive to individuals,
and may or may not reveal a trustworthy character within the
individual.
Security Incident Procedures and Security Management Process:
Clearly, breaches of security are anticipated. Still there are no
penalties prescribed. While a sanctions policy would be mandatory
there are no guidelines for the severity of the sanction. The
sanction could be a demotion, a slap on the hand, a small fine, an
extraordinary fine, a move out of the department, a docking of
privileges, a warning, or any other small or severe sanction.
However, because the sanction could be insignificant, there is
little security within this security requirement.
Awareness Training is ineffective for people who prefer to
snoop into the affairs of others or to profit through access. The
IRS has a great deal of experience (1300 employees caught in 1993)
in the fact that information is only as secure as the integrity of
individuals.
PHYSICAL SAFEGUARDS
It is suffice to say that physical safeguards can be helpful
against intrusion, although the latest Department of Defense
incident (hackers changed the blood types of soldiers in the DOD
medical record database) shows the skills of determined intruders.
However, again the integrity of the individuals with certified
access is a vital key to the security of information.
TECHNICAL SECURITY SERVICES
CCHC is not an expert in technical security, but we have some
comments about certain provisions of the proposed rule.
Under "Access Control," the words "limit access to health
information to those employees who have a business need to access
it" is rather broad-based. What constitutes a "business need?"
Some experts say encryption is necessary for security, but
interestingly enough, in this standard, it is optional.
Under "Authorization Control" mechanisms for obtaining consent
are to be put in place, which seems like a valuable security
feature, but leaves the door open for others to decide how and who
gets access, without patient approval.
TECHNICAL SECURITY MECHANISMS
The description of the proposed rule says, "Some form of
encryption should be employed" when using open networks. However,
the rule itself says nothing about such a requirement. Rather, it
states that either access controls OR encryption must be used (p.
43268). There is no mandate for encryption within this rule. This
seems rather inadequate to ensure security. CCHC has been informed
that at least 128 byte encryption should be employed.
In addition, there is no encryption requirement on stored
records in databases and the system of health care entities, yet
it is far easier to access this information by using someone
else's password, accidental access, or other modes of
transmission.
ENFORCEMENT
Even with security standards and penalties, IRS employees have
violated confidentiality standards. Without penalties, what stands
in the way of violation? In addition, no organization or
individual entity will know whether or not they are in violation
because the entire rule is nebulous. There are no actual
violations listed, only the threat of penalties for violating a
standard that cannot be interpreted.
Three quotes from page 43259 with CCHC comments:
1)"We are not proposing any enforcement procedures at this
time, but we plan to do so
in a future Federal Register document once the industry has
some experience with using
the standards."
- Comment: Since there are no real standards in this
document, enforcement would be arbitrary.
2) "We envision the monitoring and enforcement process as a
partnership between the
Federal government and the private sector."
- Comments: In reading Sec 1175-1177 of the Act, no
such public-private partnership is included in the enforcement
provision. Given the fact that accreditation bodies may have
their own agendas, or affiliations, and their decisions and
inspections are not under the federal government's
constitutional limitations and due process requirements, this
intent on the part of the Secretary should be DISMISSED from
the proposed rule. The delegation of power to private entities
under government contract is not authorized by the statute.
3) "HHS would likely retain the final responsibility for
determining violations and
imposing the penalties specified by the statute."
- Comments: DHHS does not, even here, take final
responsibility for determining violations and penalties, but
uses the word LIKELY and thereby gives itself the ability to
remain unaccountable for decisions. The Act bestows full
responsibility on the DHHS because the federal government is
under Constitutional restrictions and due process, and
therefore accountable to Congress. The DHHS should fulfill its
statutory obligation and take full responsibility and
accountability.
IMPLEMENTATION (Page 43259)
Sec. 1178 of the Act states that all state medical record
privacy laws are pre-empted by the federal standards. Since no
single standard is evident in this proposed rule, and because the
Secretary has not provided for patient protection through the
proposed rule, we believe that the privacy of patient medical
records is in jeopardy if this rule is implemented as written.
Since there are 50 states and the Act supersedes all state medical
record privacy laws unless the Secretary grants an exception "to
prevent fraud...ensure appropriate State regulation of insurance
and health plans...State reporting on health care delivery or
costs...or...for other purposes...or addresses controlled
substances," we believe that the exceptions should be spelled out
clearly in the rule as a clarification for patients, providers,
and all health care entities. In addition, until Congress enacts
clearly defined federal privacy protections, no implementation, or
preparation for implementation, of security standards should occur
based on this proposed rule.
COST OF CONVERSION (Page 43262)
Clearly DHHS has no idea of the enormity of the implementation
of the standard required. The proposed rule says that DHHS is
"unable to estimate...the number of entities that would require
security system," or to estimate "the number of entities that
neither conduct electronic transactions nor maintain electronic
health information but may choose to do so at some future time"
and that they cannot therefore estimate "the cost to the entities
that will process electronic transactions" The only cost-related
item they claim to know is that "small entities that currently
process claims electronically or maintain electronic health
information may not be able to continue to do so due to the cost
of establishing security systems to meet the requirements of the
proposed security standard."
The DHHS solution to this problem is data clearinghouses--an
additional cost beyond mandatory compliance with the security
mechanisms, physical safeguards, and administrative procedures.
These additional costs may cause these small entities, who are
able to protect health care information better than large
corporate entities, to close their doors.
This could occur in spite of the fact that corporate entities
may choose to implement the standards according to their business
needs, and if later found to be in violation, may use their
sizable profit margins to pay the penalty. This is a luxury small
providers and health care entities cannot afford.
CONCLUSION
There is no standard, nor security, in this rule; there is no
enforcement mechanism nor requirement for encryption; federal
preemption over state privacy laws is declared without privacy
protections in place; the costs cannot be estimated but will
likely hurt small providers most severely; and the DHHS has placed
its own operations outside the security standard, and itself in an
unaccountable position to Congress for security. If implemented,
Administrative Simplification may move the country further away
from individualized medical care toward impersonal corporate care
while doing nothing to guarantee the security and confidentiality
of medical information.
Thank you for your consideration of our comments.
Twila Brase, R.N.
President, Citizens for Choice in Health Care
|
 |
Citizens' Council on Health Care
1954 University Avenue West, Suite 8, St. Paul, MN 55104
Phone: 651.646.8935 / Fax: 651.646.0100, e-mail
|
| |
