[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CPT Comments on S. 1360 - November 14, 1995 (fwd)
- To: tap-info@tap.org
- Subject: CPT Comments on S. 1360 - November 14, 1995 (fwd)
- From: James Love <love@tap.org>
- Date: Thu, 16 Nov 1995 08:16:45 -0500 (EST)
-----------------------------------------------------------------
TAP-INFO - An Internet newsletter available from listproc@tap.org
-----------------------------------------------------------------
TAXPAYER ASSETS PROJECT - INFORMATION POLICY NOTE
November 15, 1995
These are the comments I submitted at a tuesday Senate
hearing on S. 1360. I was not allowed to testify.
Only one witness opposed the bill, Dr. Denise Nagel,
from the Coalition for Patient Rights, and she did
a superb job. Most of the press coverage was very
good, including very good stories in NTY, Washington
Post and NPR, pluse a very good guest editorial
in NYT by Dr. Beverely Woodward, on Nov 15, 1995.
Comments of Consumer Project on technology
on
S. 1360 - the Medical Records Confidentiality Act of 1995
submitted to the Senate Committee on Labor and Human Resources*
James P. Love
November 14, 1995
Introduction
The following comments of the Consumer Project on Technology
(CPT) outline our suggestions for improvements in S. 1360, the
Medical Records Confidentiality Act. While we join others in
applauding the sponsors of S. 1360 for focusing attention on the
important issue of privacy of medical records, we cannot support
the bill as introduced. Our initial concerns about S. 1360 are
detailed in an earlier November 2, 1995 letter, which is
attached. I will briefly summarize our objections the
legislation, and then detail specific areas where we think S.
1360 can be strengthened.
As introduced, S. 1360 does more to protect the medical
records industry than the privacy of patients. The legislation
severely limits state action on medical records privacy issues.
Consumers lose rights to sue health care trustees under common
law. Insurance companies, employers or HMO's have the right to
demand access to medical records as a condition of payment. Once
records are acquired by the Insurance company, HMO, or self
insured employer, there are literally millions of persons who
have the right to obtain the records, without the consent of the
patient.
S. 1360 defines law enforcement investigations extremely
broadly, to include more than one millions persons involved in
enforcement of any civil or criminal statute, regulation, rule,
or order. For example, the Department of Justice estimates that
in 1992 some 841,099 persons were employed by state and local
police and sheriffs departments. Law enforcement officials will
have access to medical records without consent or even prior
notice, and will be permitted to use computer databases of
records to search for persons whose identity is unknown,
including witnesses, suspected wrongdoers, or anyone who is
"relevant" to an investigation.
Health care researchers, including those not affiliated with
universities or hospitals, public health officials, health
oversight officials, and other groups are given access to patient
records, without consent or even notice. While health
information trustees are required to keep records of persons who
have access to records for non-treatment purposes (for seven
years), patients will likely find it extremely difficult to
locate these records.
Health care providers, insurance companies, large employers,
computer and information services companies have successfully
lobbied to obtain provisions that protect their commercial
interests. Government agencies, such as the law enforcement
community, and the health care "research" community have also
successfully asserted extremely broad claims of access to medical
records. As a result, S. 1360 is framed more as an access bill,
than a privacy bill.
Under S. 1360, large systems of computer databases with
cradle to grave medical records will be easily available to
anyone with access. Records need not be stored in centralized
databases to be readily accessible. Different databases, which
are managed independently, and stored in remote locations, can be
linked together by telecommunications networks, and used in a
manner similar to a single database, if queries can be delivered
and authorized electronically, as is allowed and anticipated
under S. 1360. The amazing efficiencies of new information
technologies are being combined with equally important
revolutions in medical technologies. Basic information about
weight or blood type are being supplemented by data on genetic
characteristics and other high-tech items. It is not enough to
write rules which largely codify current practices, with cosmetic
improvements.
Firms with access to medical records databases are investing
in product development and marketing strategies, in order to
encourage greater access to the medical records, not less access.
Self insured or experience rated employers will be encouraged to
study records in a variety of ways to manage health care costs.
Insurance companies will be encouraged to run medical audits,
with "consent," before issuing policies. The huge numbers of law
enforcement officials with access to medical records will be a
market, waiting for the development of the right "products" to
enhance the efficiency of their investigations. S. 1360 will
facilitate the development of those markets, because it largely
removes doctors from the role of guardians of patient records,
and it does not question the right of large businesses to build
systems which allow for automated searches of personally
identifiable patient records.
Some proponents of S. 1360 claim that the bill will enhance
privacy, because current laws and protections are so weak. The
"something is better than nothing" argument would be more
persuasive if the law did not preempt state action, or eliminate
privacy law suits under common law. "Something" is hardly the
appropriate response to the problem at hand. Without real
privacy protections, consumers will withhold information from
doctors, and doctors will create untruthful records, in order to
avoid the transmission of the information to a system that is so
porous.
The following are suggestions for language which would
increase the level of consumer privacy.
1. Doctors Should Exercise Greater Control over Records.
Under S. 1360, an entity that pays for medical care may
require disclosure of protected health information [Sec 202 (a)],
and the authorization to obtain health care records to validate
expenditures may not be revoked [ Sec 202 (b) (1)]. This is an
important step in the process, because if the entity that pays
for the treatment obtains the records, decisions about disclosure
of the data will be made by persons other than doctors
responsible for treatment.
Some advocates of S. 1360 say that one can avoid having
medical records entered into large databases by paying out-of-pocket for health care costs. For consumers who struggle to make
ends meet, this is not a particularly viable option. Privacy of
medical records should be available to everyone, regardless of
income.
We suggest a new subsection 202 (e), which states:
Sec. 202 (e) Disclosure for Payment. -- A health information
trustee that receives protected health care information for
purposes of authorization of payment may only use
information for this purpose, and may not redisseminate the
information to any third parties, including persons who seek
information under sections 204, 205, 206, 207, 208, 209,
210, 211 or 212 of this act. Protected information received
for purposes of payment authorization shall be removed or
destroyed at the earliest opportunity once payment has been
authorized.
2. The Preemption of State Law Is Too Broad.
The Sec. 401 preemption of state law is far too broad, and
results in the legislation acting as a ceiling on privacy, rather
than a floor.
Sec. 401 (a) states that "except as provided in" certain
areas, "this Act preempts State law." The exceptions include:
- state law on the privileges of witnesses, vital statistics,
records on abuse or neglect of an individual, public or
mental health records, rights of minors to medical records,
- the provisions in the Public Health Service Act relating to
notifications of emergency response employees to exposure to
infectious diseases,
- federal law governing confidentially of alcohol and drug
patient records,
- the Americans with Disabilities Act of 1990,
- Federal or states law which establishes a privilege for
records used in peer review activities.
I would suggest striking this section altogether. If this
isn't possible, add a new section (c) (9), to add another item
which S. 1360 does NOT preempt.
(9) any State law which limits the collection,
indexing, dissemination, or maintenance of medical records
in electronic formats.
As you know, we are concerned S. 1360 does not take adequate
account of the impact of computer technologies on privacy, and
that the fact that records are stored in digital formats creates
new threats to privacy. By adding our proposed (c) (9) to Sec.
401, states will be free to enhance the baseline privacy
protections of S. 1360, by addressing the most important issues
in the management of the records in electronic databases. Some
state legislatures may decide that their citizens deserve greater
privacy protections than those that are included in S. 1360. We
see no reasons to deny state action in this area.
3. Congress Should Not Take Away a Citizen's Right to Sue under
Common Law.
Under Sec. 402, a health information trustee (which includes
just about anyone who manages or uses these records), and who
makes a disclosure about an individual "that is permitted" by the
Act, shall "not be liable to the individual for such disclosures
under common law." This section should be stricken. There is no
need to provide this super immunity to the health information
trustees. They retain broad discretion under the law, and health
care consumers should have the right to pursue their rights under
common law for violations of privacy. Under Section 201 (c), the
bill says that "nothing in this title that permits a disclosure
of health information shall be construed to require such
disclosure." The Sec. 201 (c) language is important, because it
underscores the fact that health care providers and health care
trustees have the discretion and the responsibility to limit
disclosures of information to protect privacy. S. 1360 is
written to address all possible uses of medical records, and
consequently, it gives quite broad authority to disseminate
information. However, consumers expect that health care
providers and health care trustees will exercise reasonable
judgement in making decisions about when to disclose. The
elimination of common law rights of action is an unwarranted and
unnecessary elimination of an important incentive for health care
providers to use caution in authorizing disclosures.
4. The Law Enforcement Provisions Are Absurd, and must Be
Vastly Narrowed.
As noted in our letter of November 2, 1995, we are alarmed
at the seemingly wide open provisions for law enforcement access
to medical records. This term the United States Supreme Court is
considering a case where a law enforcement official is asserting
that her mental health records should be privileged, and not made
available to the government. Most Americans believe that their
own medical records are privileged documents, not subject to easy
perusal by law enforcement officials. We estimate that well over
1 million government employees will have the right to access to
medical records under S. 1360, without consent or prior notice,
under the very broadly defined Sec. 212 law enforcement
provisions.
This section gives any government official who is
responsible for enforcement of any criminal or civil statute, or
regulation, rule or order adopted under the authority of a
statute, access to medical records. It is written in such a way
that even a dog catcher or building inspector will have the right
to obtain a warrant for access to a person's medical records.
Congressional staff appear to be covered as well.
Law enforcement officials are given the right to obtain
records for persons whose identities are unknown, or to use
medical records databases to identify witnesses or victims. The
only standard for access is that there must be probable cause
that the information is "relevant" to an inquiry -- even if a
person isn't the target of the investigation. Will the police
obtain medical records in order to prepare for an interrogation
or questioning of acquaintances of suspected wrongdoers? Will
this become standard procedure when putting political dissidents
under surveillance? What would this have done for Nixon's
plumbers when they sought "access" to Daniel Ellsberg's
psychiatric records?
The following are initial suggestions for reducing the
problems in Sec. 212.
- The definition of a law enforcement inquiry must be
significantly narrowed.
- Government agencies that obtain medical records under the
law enforcement exemptions should be required to publicly
disclose the number of warrants or subpoenas for medical
records obtained every year, the names of the employees who
received the information. This will provide an important
deterrence, and some mechanisms for accountability.
- Law enforcement officials should not have the right to
obtain mental health records under warrant or subpoena.
- The law should severely limit the ability of law enforcement
officials to use computer databases to search for and
receive medical records. It would be better if the law
enforcement official was required to obtain the records from
the doctor, to give the doctor the opportunity to resist, if
the doctor believed it was important to refuse access for
ethical reasons. Law enforcement officials should not be
allowed to search databases for unknown persons. This gives
rise to frightening scenarios for surveillance, and it
should be rejected now, before we begin the process of even
greater accumulation of knowledge about genetic
characteristics and other information.
- Law enforcement officials should be flatly prohibited from
obtaining protected medical records information for purposes
of building psychological profiles, investigating
acquaintances or colleagues, or other clear abuses.
- Persons should have a right of action to sue law enforcement
officials who seek overly broad information, or health care
trustees who disclose too much information.
5. Consumers Will Find it Difficult or Impossible to Locate the
Records Which Account for Disclosures. Much Can Be Done to
Improve Sec. 112.
Under Sec. 112, a health information trustee will be
required to create and maintain records of disclosures that are
not related to treatment, including the many types of disclosures
allowed under Sections 204, 205, 206, 207, 208, 209, 210, 211,
and 212. These will be extremely important data, because they
are one indication of how often our medical records are shown to
others. For 7 years this data will be considered protected
health information. [Sec. 112 (b)]. Under Sec. 101 (a), it
appears as though a consumer is entitled to inspect or copy these
records, since the consumer is "the subject" of the protected
information. However, locating this information will be
difficult. Health care trustees will maintain the disclosure
records in remote locations. Under Sections 204 through 212
there often be no notice to the consumer that a disclosure has
occurred. In order to discover that a disclosure has been made,
a consumer will have to contact health care trustees, one by one,
making inquiries. A failure to report a disclosure at any step
will eliminate the record trail. Health care trustees have 30
days to respond to requests for information, and one can
anticipate slippage in that number. The trustee can require the
consumer to pay for "the cost of such inspection and copying."
One can imagine a fee charged simply to make an inquiry. It
seems likely that an exhaustive search of trustees that may have
had access to ones records could take years and hundreds or
thousands of dollars, every time it was undertaken. Indeed, it
could be much more difficult, when one considers the fact that
one's entire medical history, from cradle to grave, is involved.
This greatly diminishes the usefulness of the records. We are
also concerned that some health care trustees will simply not
report the Sec. 112 disclosures at all, leaving gaps in the
record trail.
Proponents of S. 1360 say that it is enough to give the
consumer a record trail, which shows directions where one might
look. We would like to see each user of a patients record report
back to the source, every time the record has been accessed. If
the trail can lead one way, it surely can be designed to lead the
information back in the direction where the consumer might
actually find it. To accomplish this, we recommend adding the
following new subsection (c) in Sec. 112.
Sec. 112 (c). The health care trustee shall provide
copies of records of disclosures to the person who maintains
custody of the original copy the protected health care
record, and that person shall attach the report to the
original record.
We were also surprised to see that the length of time that
the health care trustee must maintain its records has been
shortened from the 10 years that appeared in the copies of S.
1360 disseminated by Senator Bennett on the bill's introduction,
to 7 years in the printed version of the bill. [Sec. 112 (b)] We
prefer a longer period, twenty years.
We are also in favor of a provision that requires health
care trustees to report data on disclosures to a centralized
location, so that we can see statistics on how often consumers
records are accessed, and for what purposes. The Secretary
should adopt rules for reporting this information, for all health
care trustees, providing statistical data on the number of times
records are accessed, who obtains access, under what sections of
the law was access obtained, and for what purposes was the
information used. We recommend a new subsection (d) be added to
Sec. 112, which says:
Sec. 112 (d). The health care trustee shall provide
annual statistical reports to the Secretary, in a format
which is specified by the Secretary, which discloses the
number of records that are accessed, the types of persons or
entities who obtain access, the sections of the law under
which access was obtained, and the purposes for which the
information was used. The health care trustee shall also
obtain an independent audit to verify the information
provided in this report. The Secretary shall make these
reports available to the public.
6. The Consent Section Should Be Strengthened, to Limit Cases
Where "Consent" Is Obtained with Coercion.
The Section 203 provisions for disclosure for purposes other
than treatment or payment are based upon the fiction that consent
will occur without coercion. Today it is common to be asked for
"consent" for access to medical records in order to obtain life
insurance. Under S. 1360, we anticipate a growth in services for
searching medical records after obtaining consumer "consent"
agreements. We are concerned that employees will seek "consent"
to examine medical records, in order to estimate the cost of
providing medical benefits, or to search for other information,
such as evidence of homosexuality, mental illness, sexual
promiscuity, or deviant behavior, to list just a few items. ,
[Employers are limited in the information they can request about
medical records prior to employment, under the federl Americans
with Disabilities Act of 1990.] With a huge industry built around
`the maintenance, transfer and indexing of patient records, it
will increasingly become easier to conduct such searches. If
employers are allowed to request "consent," it will be difficult
to refuse. Indeed, a refusal will be a signal that the employee
has something to hide.
The consent section should be strengthened by including a
provision 202 (e), for rules against coercion, which states:
202 (e) The Secretary, after notice and opportunity for
public comment, shall adopt rules which prohibit or limit
requests for consent for access to protected health care
information for purposes of employment, acceptance to a
school or university, or for other purposes for which a
request for consent may involve undue coercion.
If this Congress is unwilling to protect the public from
requests for consent under coercion, then a provision should
added to section to Sec. 401 (c), stating that this is an area
where states are not preempted from acting.
Sec. 401 (c)(10) Any state law that limits the right of
employers or other groups to request consent for protected
medical information.
7. The Provisions for Access by Health Oversight Agencies [Sec.
207], Public Health authorities [Sec. 208], and Health
Researchers [Sec. 209] Should Be Modified to Require Notice
in Every Case. Consent Should Be Required in Most Cases.
Additional Reporting Is Needed.
At present, health oversight agencies, public health
authorities or health reasearches have the right to access
medical records without consent and without notice. This
presents far too much access to medical records, and not much in
the way of accountablity. For each group, notice to consumers
should be required. In cases where consent is not obtained, the
notice should include at least the following information:
(1) the records to be accessed,
(2) the reason for obtaining the records,
(3) the legal authority under which the records were
obtained,
(4) the names of the persons who have access to the
records, and
(5) how the records will be used, including disclosure of
the length of time the records will be in the
possession of the person obtaining access to the
records without consent.
Health researchers should be required to obtain consent to
receive access to records with personal indentifiers.
Since we don't know much about how these groups use medical
records, or how that usage is changing as records are becomming
computerized, we need annual reports which provide statistical
information. These reports should be made pubic.
Sec. 112 (d). The health care trustee shall provide annual
statistical reports to the Secretary, in a format which is
specified by the Secretary, which discloses the number of
records that are accessed, the types of persons or entities
who obtain access, the sections of the law under which
access was obtained, and the purposes for which the
information was used. The health care trustee shall also
obtain an independent audit to verify the information
provided in this report. The Secretary shall make these
reports available to the public.
The Consumer Project on Technology has created an Internet
discussion list for this issue, called med-privacy, which
available for subscriptions from listproc@essential.org. Send a
note to listproc@tap.org, with the message:
subscribe med-privacy yourfirstname yourlastname
Our World Wide Web page has additional information, and is
located at:
http://www.essential.org/cpt/privacy/privacy.htm.
The Consumer Project on Technology (CPT) is a project of the
Center for Study of Responsive Law. The CPT was created by Ralph
Nader this year to study a number of issues related to new
technologies, including telecommunications regulation, pricing of
pharmaceutical drugs, intellectual property rights, and the
impact of computers on privacy. The URL for CPT is
http://www.essential.org/cpt/cpt.html.
--------------------------------------------------------------
* document reformated for email, two typos and several spelling
errors fixed.
-------------------
---------------------------------------------------------------------
TAP-INFO is an Internet Distribution List provided by the Taxpayer
Assets Project (TAP). TAP was founded by Ralph Nader to monitor the
management of government property, including information systems and
data, government funded R&D, spectrum allocation and other government
assets. TAP-INFO reports on TAP activities relating to federal
information policy.
TAP-INFO is archived at gopher.essential.org in the Taxpayer Assets
Project directory, and at http://www.essential.org/tap/tap.html
Subscription requests to tap-info to listproc@tap.org with
the message: subscribe tap-info your name
---------------------------------------------------------------------
Taxpayer Assets Project; P.O. Box 19367, Washington, DC 20036
v. 202/387-8030; f. 202/234-5176; internet: tap@tap.org
---------------------------------------------------------------------