[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CPT Statment on Medical Privacy Bill (S. 1360)
- To: tap-info@tap.org
- Subject: CPT Statment on Medical Privacy Bill (S. 1360)
- From: James Love <love@tap.org>
- Date: Thu, 2 Nov 1995 15:48:47 -0500 (EST)
-----------------------------------------------------------------
TAP-INFO - An Internet newsletter available from listproc@tap.org
-----------------------------------------------------------------
TAXPAYER ASSETS PROJECT - INFORMATION POLICY NOTE
November 2, 1995
- Consumer Project on Technology sends November 2, 1995 letter
to sponsors of S. 1360, the medical records confidentiality
act, expressing opposition to the legislation.
- CPT analysis focuses on millions of law enforcement
officials, social workers, health researchers, public health
officials, and employees of health care and data processing
firms that would have access to computer databases of
personnel medical records. CPT says the bill is
fundamentally flawed, and that Congress should place
restrictions on the creation and maintenance of such
databases.
- Congress may hold hearings on legislation on November 14,
1995. It is important to express concerns about legislation
to sponors of legislation.
- Updates and background information at:
http://www.essential.org/privacy/privacy.html
Also, discussion list (med-privacy@tap.org) available
from listproc@tap.org
The letter follows. Jamie [love@tap.org; 202/387-8030]
------------------------------------------------------------
Consumer Project on Technology
P.O. Box 19367, Washington, DC 20036
Voice: 202/387-8030; Fax: 202/2234-5176
http://www.essential.org/cpt/cpt.html
November 2, 1995
Senator Nancy Kasenbaum (fax 202/224-63514)
Senator Robert Bennett (fax 202/224-6717)
Senator Robert Dole (fax 202/228-4569)
Senator Ted Kennedy (fax 202/224-2417)
Senator Bill Frist (fax 202/228-1264)
Senator Paul Simon (fax 202/224-0868)
Senator Orrin Hatch (fax 202/224-6331)
Senator Judd Gregg (fax 202/224-4952)
Senator Ted Stevens (202/224-2354)
Senator James Jeffords Vermont@jeffords.senate.gov
Senator Herb Kohl (202/224-9787)
Senator Tom Daschle (fax 202/224-2047)
Senator Russ Feingold (fax 202/224-2725)
United States Senate
Washington, DC 20510
Dear Senators:
I am writing to you, as sponsors of S. 1360, the Medical
Records Confidentiality Act of 1995, to express our concerns this
bill, which purports to enhance personal privacy. We also
request an opportunity to testify at public hearings on the bill.
It is our view that this proposal is fundamentally flawed,
and will legitimatize and contribute to the continued erosion of
personal privacy. While the discussion surrounding the
introduction of the legislation has emphasized the bills role in
enhancing privacy, the text of the legislation tells a different
story. Only through comparisons to a lack of standards for
privacy does this bill represent a step forward. The legislation
completely ignores fundamental flaws in the current system,
introduces new rights of access to medical records, and fails to
address the public's growing apprehensions about the loss of
their privacy.
Concerns about privacy to medical records are very directly
related to the development of computer technology and the
creation of large computer databases of medical records. Yet S.
1360 only mentions computers once, the bill's definition of
"writing." [Sec. 3 (18)]. There is no recognition that more
restrictive rules should apply for access to computer databases.
This is the most fundamental flaw in the legislation.
Allow me to state in simple terms the world envisioned by S.
1360. A person who seeks medical care will find that the entity
which pays for the health care can require, as a condition of
payment, that it receives a computerized record of the treatment
records. [Sec. 202 (a), Sec. 202 (b)(1)] What types of
information are involved? It includes information concerning
"preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, counseling, service, or
procedure, with respect to the physical or mental health
condition of an individual; or affecting the structure or
function of the human body or any part of the human body; or any
sale or dispensing of a drug, device, equipment, or other item to
an individual, or for the use of an individual, pursuant to a
prescription." [Sec. 3. (4)] It also includes demographic
information, information about payments for medical services, and
more generally, information that "relates to the past, present,
or future physical or mental health or condition of an
individual." [Sec. 3 (14)]
The insurance company, employer, government agency or other
entity that provides the third party payments for health care can
create and maintain a database of patient records, and use these
records for a number of purposes. These computer databases will
contain unique personal identifiers. These organizations, many
of them huge organizations, are asked to protect the records from
disclosure to the general public, but the act allows for many
cases where the patient records can be shared with others. I
will briefly describe some of the persons who will have access to
medical records, without consent from the patient, without prior
notice, and in many cases without any notice.
1. Law Enforcement Officials.
The act ensures that virtually any law enforcement official
will have the right to search your medical records, not by
identifying your doctors and obtaining a warrant for records from
a doctors office, but simply by contacting large insurance
companies, employers or database companies, and searching
computer databases. These law enforcement officials will be
required to obtain a subpoena from a grand jury, an
"administrative" subpoena or summons, or a judicial summons or a
warrant [Sec. 212 (a) (1)], which simply says that there is
"probable cause" to believe that the information is "relevant" to
a legitimate law enforcement inquiry. [Sec. 212 (a) (2)]. You
don't even have to be a target of the inquiry, or suspected of
committing any crime.
If the action proceeds under a "warrant," a patient need not
receive prior notice. [Sec. 212 (a) (3)]. A patient has a right
to move to quash a warrant, but that right is severely limited by
the fact that prior notice isn't required. Indeed, government
law enforcement officials have 30 days to serve notice that the
warrant has been issued [Sec. 212 (a)(3)], and that time can be
extended by a court. [Sec. 212 (a)(5)(A)] If a subpoena is
used, the government may also apply to a court ex parte and under
seal, and ask for an order delaying the notice of the subpoena.
The extension or delay in notice for a warrant or subpoena can be
obtained if the government can show that the request is
"relevant" to a legitimate law enforcement inquiry (civil or
criminal), the government's "need" for the information outweighs
the privacy interest of the individual, and there is reasonable
grounds to believe that the notice will lead to endangerment of
life, flight from prosecution, destruction of or tampering with
evidence, intimidation of potential witnesses, or more broadly,
"disclosure of the existence or nature of a confidential law
enforcement investigation or grand jury investigation that is
likely to seriously jeopardize such investigation." [Sec. 212
(a)(5)(B)].
A subpoena or summons for information can be obtained for
persons whose identity is unknown. [Sec. 212 (a)(4)]. Law
enforcement officials would apparently have the right to search
computer databases to "find" records that match certain criteria.
What will this involve? Physical characteristics, psychological
profiles, data on DNA or other genetic characteristics? If this
isn't intended, why doesn't the bill say so plainly?
The bill also allows law enforcement authorities the right
to obtain access to medical records without a warrant or subpena
in for the "identification of a victim or witness" in a law
enforcement inquiry. [Sec. 212 (c)]. These would also likely
involve searches of computer databases to find persons who meet
characteristics identified by law enforcement officials.
Who are these law enforcement officials who will have such
broad and ready access to such personal information? According
to the U.S. Department of Justice, in 1992 there were 78,570
state and 476,261 general purpose police employees, 225,342
employees of state and local sheriff offices, and 60,926 state
and local "special" police, for a total of 841,099 full and part-time employees in state and local police and sheriffs
departments. To this we add the considerable number of federal
law enforcement officials from the obvious agencies such as the
FBI, CIA, NSA, AFT, INS, IRS, various Military intelligence
agencies, etc. But even that doesn't give an adequate
description. The term "law enforcement inquiry" means "a lawful
investigation or official proceeding inquiring into a violation
of, or failure to comply with, any criminal or civil statute or
any regulation, rule or order issued pursuant to such a statute."
[Sec. 3 (12)]. Thus, investigators from many if not most federal
and state agencies would qualify. The numbers or persons who
could argue that they qualify under that very broad definition
are undoubtedly quite high.
2. Public Health Authorities.
Public Health Authorities are defined as "an authority or
instrumentality of the United States, a State, or a political
subdivision of a State that is . . . responsible for public
health matters; and . . . engaged in such activities as injury
reporting, public health, surveillance, and public health
investigation or intervention." [Sec. 3 (15)] Any health care
provider, health plan, health researcher, public health
authority, employer, insurer, school or university, or certified
health information network service, plus others, may disclose
medical records to "a public health authority or other person
authorized by law for use in a legally authorized (1) disease or
injury report; public health surveillance, or public health
investigation or intervention. [Sec. 208]. This creates another
large class of persons with access to databases of personal
medical records. The bill does not require consent or notice for
disclosure [Sec. 203 (e)], and there are no provisions for
warrants, subpoenas or other legal burdens to obtain access.
3. Heath Researchers.
Health researchers, who are really not defined in the bill
(except by circular reference), may obtain medical records
without consent or notice [Sec. 203 (e)], if the "protected
health information" is needed for the "effectiveness of the
project," and "is of sufficient importance" to "outweigh the
intrusion into the privacy of the individual who is the subject
of the information." [Sec. 209 (a)] Who will make such a
determination? Certified Institutional Review Boards that would
be found in hundreds of hospitals and medical schools. Thousands
of graduate students and other researchers (including large
consulting firms) would be allowed to obtain personal medical
records, in order to pursue any number of studies of health care
issues. No one who was included in these studies would have any
notice that their records were used, even when the information
was disclosed with personal identifying information, including
such items as the patients name, address, social security number
or employer.
4. Heath Oversight Agency.
Another broad category of persons who would have access to
medical records, without consent or notice, would include persons
working for a "Heath Oversight Agency." This is defined in the
bill very broadly, to include "a person who . . . preforms or
oversees the performance of an assessment, evaluation,
determination, or investigation relating to the licensing,
accreditation, or certification of health care providers; or . .
. performs or oversees the performance of an assessment,
evaluation, determination, investigation, or prosecution relating
to compliance with legal, fiscal medical, or scientific standards
relating to . . . the delivery of or payment for, health care,
health services or equipment, or health research; or . . . health
care fraud or fraudulent claims regarding health services or
equipment, or related activities and items." [Sec. 3 (8)] This
information is supposed to only be used in investigations of
fraud or payment for health care. [Sec. 209]. For reasons that
are not readily apparent, there are no requirements for notice
that your records have been examined by these officials. [Sec.
203 (e)].
In addition to these categories, there are a number of other
groups that may receive the records. Firms like Equifax or IMS,
which sell personal information for marketing purposes, will be
allowed to obtain medical records, with personal identifiers,
without consent or notice, for purposes of creating large
databases of "nonidentifiable" information. [Sec. 204] Litigants
in civil matters may ask to obtain records from the databases if
health matters are at issue. [Sec. 210]. And of course,
thousands of persons from health care agencies, HMO's, insurance
companies, employers and others will have access to these
databases.
S. 1360 sets out rules to discourage the improper release of
records, and imposes large fines on persons who violate those
rules, but will not and can not prevent the very predictable
invasions of privacy that will occur once literally millions of
persons have opportunities to access computer databases of
medical records. It hardly needs to be said that we have
witnessed an enormous amount of official and private misconduct
with respect to access to records stored in paper formats, and
these problems only accelerate once records are stored on
computers. One need not be a luddite to question the wisdom of
giving more than 1 million law enforcement officials access to
computer databases of medical records. It is common sense and
maturity to recognize that some records should never be gathered
and maintained in databases. Congress must question the right of
anyone to create these database in the first place.
As you know, a number of groups oppose S. 1360, even though
it was only introduced last week. The Electronic Frontier
Foundation (EFF), the Electronic Privacy Information Center
(EPIC), the Center for Patient Rights (CPR), the Massachusetts
ACLU, and other groups have issued critical comments on the
legislation. We expect those critical responses to snowball once
people learn what this bill will authorize.
The Consumer Project on Technology was created by Ralph
Nader this year to investigate a wide range of technology related
issues, including telecommunications regulation, intellectual
property rights, and the impact of computers on personal privacy.
Our "home page" on the Internet's World Wide Web is
http://www.essential.org/cpt/cpt.html.
We would very much appreciate the opportunity to testify in
opposition to this legislation at the proposed November 14, 1995
hearings. We will be providing additional comments on the
legislation at a later time, including our concerns over the vast
pre-emption of state rights in the legislation [Sec. 410], which
we believe sets a ceiling on privacy legislation, rather than a
floor, and the unwarranted immunities from civil litigation that
the legislation extends to Equifax, Insurance companies, HMO's
and others. [Sec. 402].
Thank your very much for considering our views and our
request to testify.
Sincerely,
James Love
Director
Consumer Project on Technology
love@tap.org
http://www.essential.org/cpt/cpt.html
202/387-8030
---------------------
updates on this issue on med-privacy@tap.org (listproc@tap.org)
Also, http://www.essential.org/cpt/privacy/privacy.html
---------------------------------------------------------------------
TAP-INFO is an Internet Distribution List provided by the Taxpayer
Assets Project (TAP). TAP was founded by Ralph Nader to monitor the
management of government property, including information systems and
data, government funded R&D, spectrum allocation and other government
assets. TAP-INFO reports on TAP activities relating to federal
information policy.
TAP-INFO is archived at gopher.essential.org in the Taxpayer Assets
Project directory, and at http://www.essential.org/tap/tap.html
Subscription requests to tap-info to listproc@tap.org with
the message: subscribe tap-info your name
---------------------------------------------------------------------
Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036
v. 202/387-8030; f. 202/234-5176; internet: tap@tap.org
---------------------------------------------------------------------