[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
"Wired Health"

To: med-privacy <med-privacy@essential.org>
Subject: "Wired Health"
From: Peter Marshall <techdiff@ix.netcom.com>
Date: Wed, 5 May 1999 14:00:14 -0700
                  Health Hippo: Electronic Data Interchange

                             Wired Health

85% of people in a recent poll felt that maintaining the confidentiality of
medical records is absolutely essential or very important in national health
care reform, according to one government-sponsored report. Yet 80% already
feel they have little control over how their personal medical information is
used. Gostin, Legislative Survey of State Confidentiality Laws (Presented to
the CDC, Council of State and Territorial Epidemiologists, and the Task
Force for Child Survival). The proposed use of "patient identifiers"
(including the social security number) in electronic medical records is very
controversial.

Privacy concerns? All the government and managed care experts say they don't
see a legal problem with patient identifiers in electronic medical records,
citing the narrow U.S. Supreme Court holding in Whalen v. Roe, 429 U.S. 589
(1977) (State of New York may record, in a centralized computer file, the
names and addresses of all persons who have obtained, pursuant to a doctor's
prescription, certain drugs for which there is both a lawful and an unlawful
market). But in Whalen, the Supreme Court left open the broader issue of the
"threat to privacy implicit in the accumulation of vast amounts of personal
information in computerized data banks or other massive government files,"
stating:

     A final word about issues we have not decided. We are not unaware
     of the threat to privacy implicit in the accumulation of vast
     amounts of personal information in computerized data banks or
     other massive government files. The ...supervision of public
     health... require[s] the orderly preservation of great quantities
     of information, much of which is personal in character and
     potentially embarrassing or harmful if disclosed. The right to
     collect and use such data for public purposes is typically
     accompanied by a concomitant statutory or regulatory duty to avoid
     unwarranted disclosures. Recognizing that in some circumstances
     that duty arguably has its roots in the Constitution, nevertheless
     New York's statutory scheme, and its implementing administrative
     procedures, evidence a proper concern with, and protection of, the
     individual's interest in privacy. We therefore need not, and do
     not, decide any question which might be presented by the
     unwarranted disclosure [429 U.S. 589, 606] of accumulated private
     data - whether intentional or unintentional - or by a system that
     did not contain comparable security provisions. We simply hold
     that this record does not establish an invasion of any right or
     liberty protected by the Fourteenth Amendment.

     Citing Boyer, Computerized Medical Records and the Right to
     Privacy: The Emerging Federal Response, 25 Buffalo L. Rev. 37
     (1975); Miller, Computers, Data Banks and Individual Privacy: An
     Overview, 4 Colum. Human Rights L. Rev. 1 (1972); A. Miller, The
     Assault on Privacy (1971). See also Utz v. Cullinane, 172 U.S.
     App. D.C. 67, 78-82, 520 F.2d 467, 478-482 (1975).

See the concurring opinion of Justice Brennen ("The central storage and easy
accessibility of computerized data vastly increase the potential for abuse
of that information, and I am not prepared to say that future developments
will not demonstrate the necessity of some curb on such technology.") and
the concurring opinion of Justice Stewart stating (to paraphrase) that
privacy rights are best left to the states. Contra, Recommendations of the
Secretary of Health and Human Services for Establishing Federal Health
Privacy Standards. ("A Federal health privacy law should permit limited
disclosures of health information without patient consent for specifically
identified national priority activities.")

Government gathering of personal health care information may present even
more of a political problem than a legal one. Based on the poll results
above, even though some may agree that public health would be improved by
allowing the unfettered access to patient medical records HHS seeks, the
majority seem to be saying, "BUT NOT MY MEDICAL RECORDS!" It will be
interesting to see how Congress and HHS get around the overwhelming
sentiment against allowing further access to the public's personal medical
records and the potential chilling effect such a policy will have on many
personal treatment decisions. See HHS: Unique Health Identifier for
Individuals, A White Paper (released July 6, 1998); Hearings on the Unique
Health Identifier for Individuals, July 20-21, 1998 (web page put up July 6,
1998).

According to the HIPAA law, if Congress has not passed medical records
"privacy" legislation by August of 1999 HHS is required to implement a
scheme for universal patient identifiers by rule. Such a scheme will likely
involve the use of Social Security Numbers, which are slated to become the
"dog tag" of the information age. See e.g., Proposed Rule: State-Issued
Driver's Licenses and Comparable Identification Documents, Federal Register
June 17, 1998 (Federal mandate of Social Security Number on all state
Driver's Licenses by the year 2000 -- comments must be received by August 3,
1998).

  ------------------------------------------------------------------------
Cart before the horse? Charged with implementing at least five new rules
relating to electronic transactions in health care, the Department of Health
and Human Services (HHS) is saving the best for last. Shouldn't the required
rules on security and electronic signatures have been published prior to
mandating identifiers for employers, providers and health plans?

According to HHS, the National Standard Employer Identifier will help
eliminate paperwork, simplify activities such as enrollment in health plans
and payment of health insurance premiums, and save money for consumers. The
proposed national standard employer ID number is the Employer Identification
Number (EIN), which is issued and maintained by the Internal Revenue
Service. Under the proposed rule, health care providers, health care
clearinghouses, and health plans would use this number to identify the
employer on electronic health transactions that require an employer
identifier.

In addition to the national standard employer identifier, other proposals
under the HIPAA Administrative Simplification law call for national standard
ID numbers for health care providers and health plans (not yet available).
The law also requires standards for common electronic health care
transactions, code sets, and "stringent new security rules to protect
confidentiality of and access to health records" (not yet available). All
health plans, health care clearinghouses, and any health care providers that
conduct electronic health transactions are required to abide by these new
standards.

HHS has provided the ability to comment on these new rules electronically
through its Administrative Simplification web site that also provides
information on health privacy and health information standards, and an
email list for notification of new rules. See generally, Electronic
Rulemaking.



                 Health Hippo Š1996-97: hippo@altavista.net
Prev by Date: DHHS: "Milestones in Health Information Privacy"
Next by Date: NY case
Prev by thread: RE: DHHS: "Milestones in Health Information Privacy"
Next by thread: NY case
Index(es):
- Date
- Thread