[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Policy vs implementation

To: med-privacy@essential.org
Subject: Re: Policy vs implementation
From: Mimi Azrael <t182@mci.newscorp.com>
Date: Tue, 30 Jan 1996 22:14:32 -0500 (EST)
  Following on the policy vs. implementation discussion, it occurs to me that
  the enormous costs to states of Bennett Bill compliance may prove to be a
  favorable deterrent to state collection of health care data containing
  personal identifiers (that is, assuming preemption).  In Maryland, for
  example, where the state operates the country's only health claims database
  of its kind, the cost of encryption and security just to operate the
  database is  numbing, even without considering Bennett Bill compliance and
  momentum is growing to abandon the database altogether or at least a
  consensus is forming to restrict data collection (and include patient
  consent) to provide better privacy protection. 
  
  Although there appears to be no need for collectiong personal identifiers,
  Maryland's database contains patients' dates of birth, home zip codes, sex,
  race, and (presently) social security numbers from payors who use social
  security numbers as unique identifiers.  The personal data drives up the
  cost of the database.  The database is a research database tracking access
  and comparing cost of services, not a medical records database.  Most health
  care providers and directors of hospital records I've talked to tell me that
  aggregate data would be sufficient to serve the database's purposes.
  Nevertheless, at enormous cost, Maryland has already collected 100% of 12
  payors' data (electronically transmitted from 10 private payors, Medicare
  and Medicaid for the years 1992 and 1993 -- all without the patients'
  knowledge or consent.  Patients consented to health care payors having
  access to their medical records, but no one ever asked patients if they
  consented to payors turning over their data to the state.  The database's
  annual  report is scheduled for release by state regulators later this week.
  It will be a must-read.
  
  Maryland is not alone in its health database fiasco.  Databases in other
  states (i.e., Vermont, Minnesota, Washington State,  etc.) (see, e.g.,
  Stephen Whitaker's recent posts concerning Vermont's attempted fix by
  introducing what he considers somewhat suspect industry supported privacy
  legislation; and the Cook Report on Washington State's database - "National
  Information Infrastructure:  The Dark Side in Washington State, Big Brother
  Goes on Line - Web of Databases <http://pobox.com/cook>.   Fortunately these
  states have put their databases on hold finding that privacy problems
  wouldn't go away.   Hopefully, Maryland will soon reach the same
  conclusion... One can only hope.
  
  Under the law creating the database, all Maryland outpatient health care
  providers are required to report encounter data that the state
  electronically collects for every single patient encounter had with every
  man, woman and child in the state.  This data, linked to personal
  identifiers will eventually be accessible for private and public use  for
  purposes not yet determined, which arguably could include tracking of
  genetic test results, HIV, abortions, mental health, substance abuse, etc --
  all without the patients' consent...     Providers are up in arms over
  intrusions into patient confidentiality which creates grave ethical dilemmas
  for them and undermines patient trust, which limits the effectiveness of
  treatment, prevention and cure (raising public policy concerns)..
  
  A bill has been introduced in Maryland's brief, 90 day General Assembly that
  is now in session, to require informed patient consent for inclusion of data
  in the database.   But even more to the point, why must the data be linked
  to personal identifiers in the first place??  Without the personal
  identifiers, the cost of the database is greatly reduced without affecting
  the value of the cost containment research data.  Eliminating personal
  identifiers would eliminate the confidentiality issues that have health care
  providers and consumer advocates up in arms.  With no personal identifiers,
  it seems there would be no need for expensive encryption and security at the
  state level or potential costs for Bennett Bill compliance at the federal
  level down the road.   Security and confidentiality of health care data is
  an especially sore subject in Maryland (as it should be elsewhere)
  considering the recent episode where Maryland Medicaid employees were bribed
  into disclosing to health care marketers the names of Medicaid recipients,
  as Denise Nagel of CPR,NE pointed out in the NYTimes piece appearing on
  November 15, 1995.  
  
  I apologize for this long post (was it Wilde who said I didn't have time to
  write a shorter letter?) but I am keenly interested in hearing from people
  with  practical suggestions that might make cost-benefit analysis a
  necessary pre-condition to any state database that contains personal
  identifiers.  On a more basic, practical level, I want to hear from anyone
  with health care war-stories of consumer-worst-fears-realized caused by
  well-meaning (or not so well-meaning) state bureaucrats.  Maryland
  legislators need to hear these stories as they consider bills this session
  to limit the database and weigh the costs of security and privacy risks of
  collecting health claims data containing personal identifiers.
  
  Mimi Azrael, AGF, 101 East Chesapeake Avenue, Fifth Floor, Baltimore, MD 21286
  e-mail <t182@mci.newscorp.com>
Follow-Ups:
- Re: Policy vs implementation
  - From: Robert Gellman <rgellman@cais.cais.com>
Prev by Date: Bill introduced in Great Britain
Next by Date: Re: Policy vs implementation
Prev by thread: Bill introduced in Great Britain
Next by thread: Re: Policy vs implementation
Index(es):
- Date
- Thread