[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bennet-Leahy legislation (fwd)
---------- Forwarded message ----------
Date: Tue, 7 Nov 95 19:00:21 GMT
From: hn3384@handsnet.org
To: love@essential.org
Subject: Bennet-Leahy legislation
Jaime,
Dierdre Mulligan at CDT directed me to ask you to post the following
document for the information list discussing the Bennet-Leahy
confidentiality bill. [I was having difficulty subscribing to the e-mail
list.] We hope this document will be helpful in furthering the discussion
regarding this piece of legislation. THANK YOU for your assistance.
Kurt Schade
Public Affairs
AIDS Action
(202) 986-1300, ext. 3060
FILE dierdre
Sent: November 7, 1995 10:39 am PST Item: R00GcVr
Aimee Berenson,AIDS Action CouncilNovember 6, 1995The following document was prepared by Aimee Berenson, Legislative Counsel for AIDS Action Council, the Washington representative of over 1000 community-based organizations across the nation and the people living with HIV/AIDS they serve, in response to a request from Senator Edward Kennedy's (D-MA) office. Senator Kennedy's office had received a letter from the Massachussetts ACLU regarding the Bennett-Leahy Medical Records Confidentiality Act and specifically asked AIDS Action to respond with regard to how the Act would affect people living with HIV/AIDS.We believe federal legislation is critical to protecting the confidentiality of people living with HIV/AIDS, and that the Bennett-Leahy bill is a real step in the right direction. We are concerned that the lack of understanding about how little protection medical information is given today will lead people to erroneously believe this bill weakens confidentiality, and for that reason welcome the oppo
rtunity to start meaningful dialogue about medical privacy issues for people living with HIV/AIDS by sharing this document on the Internet.[PORTIONS OR ALL OF THIS DOCUMENT MAY BE REPRINTED WITH APPROPRIATE ATTRIBUTION TO AIDS ACTION COUNCIL.]=============================================================THE NEED FOR A COMPREHENSIVEFEDERAL HEALTH INFORMATION PRIVACY LAWProtecting the confidentiality of health information is not merely an academic concern for people living with HIV/AIDS. Tragically, the over 1.5 million Americans currently infected with HIV not only face a battle against the disease itself, but against the fear, prejudice, stigma and discrimination that have been the darkest companions of this AIDS epidemic. People living with HIV/AIDS have lost their jobs, their homes, and the companionship and support of their families, friends, co-workers, and communities as a result of their illness. Perhaps even more appalling is the fact that people living with this disease have found themsel
ves discriminated against in the health care system itself -- by doctors, dentists and hospitals who refused to treat them, or by insurers who denied their claims or capped their benefits.For people living with HIV/AIDS, maintaining confidentiality is essential to preventing discrimination. Studies have shown that the very fear of breach of confidentiality may deter people from being tested for HIV, and that people who suspect that they may be HIV-positive delay early detection and treatment to avoid the potential negative consequences which flow from confidentiality breaches. Thus the lack of confidentiality may cause people to avoid early detection and treatment of their HIV disease, treatment which can greatly improve both the quality and duration of life. Others are frightened into obtaining medical care and services under assumed names to protect themselves, their families, and their friends from the potential consequences of breaches of confidentiality. Sadly, the fears that cause people at risk
of or infected with HIV to avoid the health care system are well-founded. The reported cases of breach of confidentiality of HIV-related health information (which probably reflect only the tip of the iceberg) are a distressing indicator of the potential magnitude of the problem.The AIDS epidemic has highlighted the inadequacy of the current patchwork of existing state and federal confidentiality provisions. The lack of any federal health information privacy legislation has meant that people living with HIV/AIDS and their advocates have been forced to fight the battle to protect the confidentiality of their health information state by state, government agency by government agency, and case by case, struggling to make a patchwork of state laws that all too often provided little or no protections work. At the same time, we battle attempts to further stigmatize and discriminate against people with this disease by mandating disclosures of highly personal health information for political rather than public he
alt
h purposes. In some states, efforts to carve out strong HIV confidentiality protections have been fairly successful -- New York and California are notable examples. In other states, such as Illinois, for example, people living with HIV/AIDS have faced the chilling specter of highly politicized attempts to access legally protected information (namely information provided for public health surveillance purposes) in order to conduct witch hunts to ferret out HIV-infected individuals.The confidentiality of personal health information is not well protected today. Currently, only thirty�four states have any level of privacy protection under state law. Fourteen states have enacted no legislation whatsoever to protect individual privacy interests. Of the thirty�four states that do have privacy laws, the privacy provisions are often found under various state statutes and enforced by different institutions, ranging from corporations to hospitals and public health authorities to insurance commissioners. The leg
al standard governing the collection and use of health information may depend on the type of information collected (e.g., HIV status, record of abortion or record of general physical exam), the individual or institution collecting it (e.g., a federal entity, a federally funded entity, a state entity or a private entity), and whether the information is required by a third party for purposes of payment. Furthermore, in the absence of privacy law, the degree of protection for personal health data depends on the local policies and practices governing those who handle health information. Individuals who view such information may be bound by employer policy or ethical codes to respect the privacy of the individual to whom the information pertains. However, no consistent policy or code exists, and existing policies often lack enforcement mechanisms.Protecting HIV-related health information has been further complicated by the fact that in many instances, health care information generally is not protected. In o
ther words, only certain aspects of health information are protected -- for example, the fact that an individual has tested positive for HIV may be protected information, but the information that the individual is getting a prescription filled for AZT is not. And in some instances, confidentiality is protected only in the hospital or health care provider setting, so that when that confidential information is sent to an insurance company or social service provider, it is no longer protected. Thus, even in states that have HIV-related confidentiality protections, the extent of those protections may be limited. Computerization, needless to say, adds to the potential universe of people and entities who may have access to information, and further heightens the already-existing fears people have about potential breaches of confidentiality.In developing state laws to protect the confidentiality of HIV-related information, AIDS advocates have focused on two areas: limiting the uses and disclosures of HIV-related
information, and ensuring that individuals have control over, and thus confidence in, how personal health information will be used, by creating more genuine "informed consent" written authorization procedures. Traditionally, the "informed consent" model of protecting health care information has not worked well, because individuals have lacked the information necessary to enable them to truly give "informed" consent. Often individuals do not realize the actual universe of people and entities that have access to their personal health information, or understand that there are few limits on the uses or disclosures of information that those with access may make. People with HIV/AIDS are usually aware that information of their HIV/AIDS status may be provided to public health departments for public health purposes, for example, and have fought (and continue to fight) hard to protect their confidentiality in that public health reporting process. Yet people living with HIV/AIDS, like most Americans, are much le
ss
likely to realize that within the physician's office, hospital, laboratory, or pharmacy, their personal health information may be accessed -- and potentially disclosed -- by anyone from nurses and technicians to orderlies and receptionists to billing departments. Currently, there may or may not be internal organizational policies limiting the extent of access to an individual's medical record, or limiting use and disclosure of information. Individuals rarely know what the case is in a given setting. Moreover, individuals are routinely required to sign forms authorizing the health care provider to disclose information to insurers. People generally don't realize that this authorization gives the insurer access to their entire medical record; even if they did, most are not in a position to limit such access. A refusal to sign the authorization means the provider cannot be reimbursed, and thus is unlikely to provide treatment or services unless the individual has the ability to pay the costs out-of-pocket,
and usually on the spot. Again, the insurers' access means that many people, from claims processors to utilization reviewers to accounting department personnel, have access to the individual's medical record. Even employers have access to information in that record, if for example the employer is self-insured, or if a third-party insurer is providing information about claims to justify premium hikes based on utilization costs, pre-existing conditions, etc. This poses a devastating dilemma for people living with HIV/AIDS, since they are forced to disclose their illness in order to get insurance companies and medical professionals to provide care, yet may in fact find themselves denied care, legally or otherwise, on the basis of the very information they must disclose to get care. In essence, although people with HIV/AIDS continue the decade-long struggle to create confidentiality protections out of a hodge-podge of constitutional, state, regulatory, and common-law provisions, we still face a situat
ion where the holes are too big, the ground beneath us too unstable, and the costs too great to continue to fight this fight as we have been. It is time to address the failure of our health care system to respect and protect the dignity and privacy of those it is supposed to serve.The problems faced by people living with HIV/AIDS, and all Americans, as a result of the lack of privacy protections for personally identifiable health information can only be addressed through the enactment of a comprehensive federal health information privacy law. We believe that in order for such a law to be effective, it must meet the following essential criteria: ** Provides a strong, uniform "floor" of protection for all personally identifiable health information. ** Places a legal duty on all individuals and entities which create, collect, or use personally identifiable health information to protect the confidentiality of that information. ** Clearly defines permissible uses and disclosures of information
and builds "firewalls" to prevent the use or disclosure of information for unauthorized or incompatible purposes. ** Provides individuals with sufficient notice and opportunity to limit access, use and disclosure of personally identifiable health information. ** Provides strong, effective legal remedies and sanctions for violations of the law. THE BENNETT-LEAHY BILLWhile there are still provisions in the Bennett bill that need improvement, such as adding a requirement to obtain consent where practicable in the provisions regarding health research and clarifying procedures with regard to certain warrant requirements, we feel that overall the Bennett�Leahy bill is a good bill that comes closer than any other to meeting the need for a strong, comprehensive federal medical records confidentiality law. In fact, the authors of the bill's stated goals demonstrate their intent: 1) to establish the individual's right to access, correct and update his or her protected health information; 2)
to
establish strict, meaningful, informed consent requirements for the use and disclosure of protected health information; 3) to create a warrant requirement controlling law enforcement access to information; 4) to provide strong civil and criminal sanctions for violations of privacy; and, 5) to provide a private right of action to those aggrieved.One of the greatest barriers to remedying the current situation is the lack of understanding and public education about the true state of the law regarding privacy of medical records information. Most people believe that this information is afforded much greater privacy protection than it actually is. The ACLU of Massachusetts' letter highlights the need for public education on the issue of health information privacy. In the interest of beginning to engage everyone who cares about these issues in a productive dialogue, brief responses to the points raised in that letter are outlined below. It is critical that everyone who cares about these issues be
come informed and participate in moving forward, because without federal legislation, personally identifiable health information will be left unprotected and the use and disclosure of such information will continue to be unregulated. We must not allow misinformation and fear of computerization to stop us, because right now there is nothing to stop the erosion of medical records privacy and the exploitation of personally identifiable health information for commercial or discriminatory ends.RESPONSES TO CONCERNS RAISED BY THE MASSACHUSETTS' ACLU:** States' rights to enact stronger laws to protect privacy of medical records are preemptedJ.J.J. No clear exception . . . is articulated.RESPONSE: The truth is that most states do not have a comprehensive statute that protects the confidentiality of all health information, and that the provisions of the Bennett bill are more comprehensive and rigorous, the penalties stiffer, and the enforcement mechanisms more comprehensive than just about any existing priv
acy law protecting health information at the state level. However, the bill does specifically protect existing and future state public health and mental health laws, such as HIV or STD laws, that provide greater protections by exempting them from its general preemption clause. Federal Alcohol and Drug confidentiality laws are also maintained. This protection is a major reason why the bill has the support of consumer-oriented groups like AIDS Action Council, Bazelon Center for Mental Health Law, and Legal Action Center.** This bill disregards the notion that control of private medical information should belong to a patient and should only be released in those situations where there is a legitimate "need�to�know."RESPONSE: The bill clearly asserts that individuals should be able to control the flow of health information. It requires that the individual's consent be attained prior to releasing information about them to any one �� even those with a legitimate "need�to�know" �� in all but a few clear
ly spelled out circumstances.** The individual's right to control access to intensely personal information . . . is abrogated by this bill. RESPONSE: The Supreme Court has not found a generalized right to "control access to personal information" held by third�parties. Where individuals do have a right to control and limit the use and access to personal information, that right has been established by statute, yet in 28 states in this country an individual does not have a right to access her own records, even though lots of other people may. The Bennett�Leahy bill attempts to craft strong rules that allow the individual to control the flow of information and provide strong effective remedies for there violation.** The bill creates a special statutory framework designed to assist in the development of large information megabusinesses such as Equifax Services and others.RESPONSE: Megabusinesses don't need a federal law to help develop the information superhighway -- they've already created it. Wh
ile
the bill does not prohibit health information from being computerized, it certainly does not assist in the development of large information megabusinesses. The bill attempts to address reality. As Senator Bennett stated, anyone who's fighting to keep their records on paper is facing a losing battle. Automation is here and expanding. Equifax, TRW and the many smaller companies involved in the information industry have been, and will continue to enter the health information field with or without legislation. Today, 90% of all the information needed to process insurance claims containing diagnosis and test results move electronically.The Bennett�Leahy bill will regulate their actions. It will prohibit information systems providers with whom hospitals contract �� to complete billing and claims transactions for example �� from capturing and using information for any other purpose without the consent of the patient.** This bill includes a provision allowing government intrusion into personally identi
fied medical records in fraud investigations without regard to any possible Constitutional violations.RESPONSE: The bill does permit access to personally identifiable information for a specific category of oversight activities conducted by defined entities, such as oversight conducted in administering Medicaid and Medicare programs. No law specifically prohibits such access now. However, under the provisions in this bill, information accessed may not be used to prosecute the individual unless the action or investigation arises out of and is directly related to the receipt of health care or payment for health care or a fraudulent health care claim. In other words, if the individual is engaged in Medicaid fraud and it is detected during oversight they can be prosecuted. However, if during Medicaid oversight it was discovered that an individual is engaged in some other illegal behavior the information could not be used against them.** The confidential relationship between individual doctors and pati
ents is replaced by a semi�public relationship with ill�defined and largely faceless health care corporations, using the information primarily for cost�containment analyses.RESPONSE: The move to "faceless health care corporations" is neither facilitated nor addressed by this bill. The use of aggregate information, information that does not identify individuals, is not addressed by this bill. Individuals have a privacy interest in information that identifies them. However, if a doctor, insurer, "health care corporation, "or anyone else, wants to use personally identifiable information to do cost�containment analyses they must obtain patient consent on a form that is separate from the form that authorizes the information to be used and disclosed for treatment and payment. Information attained for one purpose, by a doctor, insurer or health plan, cannot be used for another purpose without consent of the individual.** Health care providers may create separate records for undefined "administrative" purp
oses and bar patients from ever seeing or controlling this record.RESPONSE: The general rule is that patients have a right of access to their health records. A record that is used solely for administrative purposes may only be withheld from the patient if it has not been disclosed to any other person. The exception is meant to cover an extremely narrow class of records, for example a routing slip. ** Health care providers may disclose health information to health information managers who may, in turn, subcontract that information to anyone else, in furtherance of that subcontract, all without patient knowledge or consent.RESPONSE: In fact, this is current practice in the health care system in this country, and there is no law that regulates this practice now, which is why federal legislation is so desperately needed. It is estimated that during a person's single encounter with the medical system, approximately 80 individuals view health information about that person. Existing laws governing th
e u
se of personal health information are a patchwork of insufficient and often conflicting protection. Most states do not have a comprehensive statute that protects the confidentiality of all health information. In the absence of privacy law, the degree of protection for personal health data depends on the local policies and practices governing those who handle health information. The 80 individuals who view an individual's health information may be bound by employer policy or ethical code to respect the privacy of the individual to whom the information pertains; or they may not be bound at all. No consistent policy or code exists, and existing policies often lack enforcement mechanisms.The Bennett-Leahy bill places a legal obligation to protect the confidentiality of personally identifiable health information on every single one of the 80 individuals who handle the information. It states that whether you are the person who reviews claims, the auditor, or the provider you must respect patient privacy and
abide by these rules or you will be punished. The bill does not control or limit the ability of providers, hospitals and others to contract out services. Like other entities providers may not be capable of conducting all their business in house. They may use an outside transcription service to put spoken words into written form, they may use an information service to send claims information to insurance companies.The bill imposes the same obligation to respect patient privacy on every entity that touches the information.** Personally identifiable health information such as HIV status may be disclosed to public health authorities without patient consent.RESPONSE: The bill maintains a "firewall" between public health reporting and all other types of health information collection to preserve the integrity of that system. It does not preempt, supersede or modify the operation of any State law relating to public health, including HIV, or mental health that prevents or restricts disclosure of protected
health information otherwise allowed under the bill.** Parties involved in litigation may obtain patient records by simply certifying to trustees that the subject of that information has put their health status at issue in the pending litigation. No clear procedure is available to object to or prevent such disclosures. RESPONSE: The bill should contain a clear procedure for individuals to object or prevent such disclosures in the context of litigation. Currently, the bill requires a 10 day waiting period after notification to the individual before disclosure is allowed, ostensibly to provide a time period for objection. However, the actual procedure for lodging objections and prohibiting disclosure is not spelled out, as it should be, under the bill. Recommended language would be appreciated.However, the "minimization" rule also applies to disclosures under this section. For example, if an individual files a workers compensation claim with their employer for a lower back injury, any disclosure
made to adjudicate this claim would be limited to the information necessary. The goal is to eliminate disclosures of material that is not related to the claim at issue �� in this example, records about the injury could be released, but not records relating to other treatment.** In cases where the State seeks medical information as part of a criminal proceeding, there is no provision for any type of evaluation of the need for such information by the court beyond probable cause.RESPONSE: The general rules concerning use and disclosure limit the amount of information disclosed to the "minimum amount of information necessary to accomplish the purpose of the disclosure." Working together with the warrant provision, which allows disclosure only where there is "probable cause to believe that the information is relevant to a legitimate law enforcement inquiry being conducted by the government authority," the "minimization" provision actually places further limits on law enforcement access to information.
** Law enforcement authorities are given access to the entire medical record without restriction and may use such information to conduct an investigation or to identify a victim or a witness.RESPONSE: Law enforcement access is governed by the "minimization" rule outlined above. Health information trustees must always limit disclosures to the minimum amount of information necessary to meet the purpose. Trustees may disclose protected health information to a law enforcement agency if it is requested for use in the identification of a victim or witness in a law enforcement inquiry.** Particularly sensitive information such as psychiatric or psychological treatment, HIV testing, diagnosis or treatment or sexually transmitted diseases would be as accessible in the record as a patient's height and hair color.RESPONSE: This actually states the stark reality that exists now with regard to the lack of privacy of such information. In contrast, the Bennett-Leahy bill puts control over the accessibility of
information squarely with the patient, who must give authorization for disclosures and may limit access to information. In addition, even when a patient authorizes disclosure, the trustee is still obligated to disclose the minimum amount of information necessary to meet the purpose of the disclosure. For example, the recent case involving Harvard Community Health Plans practice of placing the sensitive, detailed, psychiatric notes of individual patients into a computer system that was completely accessible to every provider on staff �� literally hundreds of physicians and staff �� would clearly violate the bill. The many people who use the system, such as claim adjusters, auditors etc. do not need access to treatment notes in order to complete their purpose. Moreover, the bill explicitly does not preempt, supersede, or modify the operation of: ** any State law relating to public or mental health that prevents or restricts disclosure of protected health information otherwise allowed under the bill;
** any Federal law or regulation governing confidentiality of alcohol and drug individual records; or, ** the Americans with Disabilities Act of 1990.Therefore, additional protections or requirements under such laws will continue to control the treatment of mental health, HIV, STD, alcohol, and drug records.=============================================================FOOTNOTES:1. American Bar Association AIDS Coordinating Committee, __Issues Relating to AIDS and Health Care Reform__, at 30-31 (July 1993).2. For example, a California Court of Appeal, while sustaining the plaintiff's state constitutional privacy claim, held that the state's HIV confidentiality law only applies to disclosure of the actual record of an HIV blood test result, and not to disclosures of information obtained from other sources regarding an individual's HIV status. __Urbaniak__, 277 Cal. Rptr. at 362.For more information, contact:Aimee BerensonAIDS Action Council1875 Connecticut Avenue, N.W., #700Washing
ton, DC 20009202-986-1300202-986-1345 (fax)202-332-9614 (tty)E-Mail: HN3384@handsnet.org