From owner-med-privacy@venice.essential.org Wed Dec 29 14:37:31 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 7132821B0F for ; Wed, 29 Dec 1999 14:37:31 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA26528 for ; Wed, 29 Dec 1999 14:37:30 -0500 (EST) Message-ID: <386A62B8.A2A7391F@cais.com> Date: Wed, 29 Dec 1999 14:36:24 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 1 of 4 I filed comments with HHS today on the HIPAA privacy rules. My comments are long (24 pages), and I want to make them more generally available. I certainly do not expect that every one will agree with my comments. Indeed, I am sure that everyone with disagree with at least some of my comments. But I think that it is important that as many people as possible file comments with HHS. I hope that my comments may provoke some thinking and perhaps serve as a resource for others. If anyone wants to copy some of my comments and file them on his or her own, that is fine with me. You can take my text, in whole or in part, and change it as you please. The point is that people must be heard from. Comments are due on February 17. Because of the length of my comments, I have broken them up into three parts. I will send three more messages following this one, and each will be modestly long. If this subject doesn't interest you, you can just delete them. The comments are all Y2K compatible. Of course, I can't say the same for your computer. Or mine for that matter. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + From owner-med-privacy@venice.essential.org Wed Dec 29 14:47:59 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 8DA6C21B4F for ; Wed, 29 Dec 1999 14:47:59 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27458 for ; Wed, 29 Dec 1999 14:47:55 -0500 (EST) Message-ID: <386A6529.A4379E7D@cais.com> Date: Wed, 29 Dec 1999 14:46:49 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] HIPAA Privacy Regs 2 of 4 Part 1 of my comments starts below my signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 1 of 3 These comments on the HIPAA privacy standards represent my own views, and they are not submitted on behalf of any other person. Overall, I find that HHS made a good faith attempt to develop privacy standards in compliance with the congressional mandate. However, the proposed rules contain many troubling provisions, and I hope that the final rules will fix many existing problems. The biggest problems with the proposed rules are in these areas: · Unclear definition of health information and the resulting uncertain application of the rules to record keepers who are not providers or payers · Uncertain application of the rules to health information not maintained in electronic format · Overly broad definition of disease management that allows marketing and other inappropriate disclosures of patient information · Broad exclusions and exemptions for the administrative convenience of federal agencies at the expense of personal privacy · Failure to give patients sufficient ability to seek additional restrictions on disclosures for treatment, payment, and health oversight · Lack of adequate procedural and substantive restrictions on law enforcement access · Practical shortcomings for provisions allowing disclosures of directory information and to next-of-kin · Incomplete accounting requirements · Restricted amendment procedures that will not allow patients to even request changes to much information used to make decisions about their health care In most cases, I tried to offer specific suggestions on how to change the rules. In addition, I include some suggestions for ways that the Department can change its own policies to provide patients with additional privacy protections that it may not be able to impose on others. For example, I propose that the Department adopt an internal policy preventing patient information obtained for law enforcement or oversight from civil, criminal, or administrative use against patients unless the patients are involved in health care fraud. This policy should be adopted for all health record keepers, but it may be beyond the scope of the Secretary's current HIPAA authority. However, nothing prevents the Secretary from adopting the same rule governing HHS activities. Summary and purpose The Department asked whether the scope of the rule should be extended to cover all individually identifiable information, including purely paper records maintained by covered entities. I believe that the rule should be written so that the boundaries between covered and uncovered information will be as clear and as easy to apply as possible. The preference should be for a rule covering more rather than less information. It would be a poor policy if record keepers could not tell when a particular item of information is subject to regulation. The current draft makes it impossible in some circumstances for a person in routine possession of medical information to know if the rule covers the information. Events that take place in other locations, that involve activities of other people, and that occur later in time will affect whether the information has become protected health information. If the Secretary is not willing to use her authority to cover all health records of covered entities, then the rule should be as simple as possible. A simpler and better rule is that if a covered entity transmits or expects to transmit any part of a patient's record electronically, then all information about that patient maintained by the covered entity becomes protected health information. For most health care institutions, this rule would mean that all patient records are protected health information. Entities that operate exclusively with paper records could remain outside the law. Clarity, simplicity, and predictability are most important in threshold definitions. In this instance, the Department should adopt an alternative that makes the rule easier for record keepers to apply and that offers record subjects broader privacy protection. Applicability References to other laws: This section of the commentary offers a gloss on the phrase "authorized by law." The explanation is, in essence, that an activity is authorized by law as long as a statute does not prohibit it. This is far too lax a standard. A good reference here is the ACLU of Wisconsin Data Privacy Project report titled In the Balance: State Government and Medical Records Privacy (May 11, 1998). The report documents that many state agencies gather, maintain, or use health information for a variety of purposes. If the proposed rule simply allows collection of identifiable health information by any state agency in the absence of an express statutory prohibition on collection, then the rule will have accomplished little. For example, the provision that permits disclosures for governmental health data systems relies upon the "authorized by law" concept. It marries two broad and virtually unrestricted concepts and allows any government agency to seek health information, almost without limitation, based on the representation that it seeks the data for a "policy, planning, regulatory, or management function." [164.510(g)] The problem is not necessarily with allowing some degree of flexibility. However, applying two overly flexible provisions at the same time results in a standard that is so weak as to be non-existent. An affirmative legislative decision to authorize use of medical data for a particular purpose should not be given the same weight as a failure to prohibit an agency from seeking health information. In some instances, it probably never occurred to bill drafters to prohibit the collection of patient data because the disclosure was unethical or unnecessary. To adopt a rule that treats a failure to prohibit as an authorization is perverse. The solution here may not be simple. It may ultimately be necessary to require agencies to rely on affirmative statutory authority. As the commentary correctly points out, existing statutes may not expressly affirm the authority of agencies to obtain information. An appropriate response would be to retain a reasonable degree of flexibility, but only for a limited period of three years following the effective date of the rule. If state legislatures want to grant agencies positive authority to obtain records, they will have opportunity to do so in an environment where concern about privacy has been heightened and public debate on the appropriateness of agency use of health information can take place. If some agencies are subsequently unable to obtain positive authority to access health records, then so be it. The current language essentially grandfathers all existing actual or implied authority to obtain health information. This is a poor policy choice. Instead, the Department should allow this degree of flexibility for no more than three years. Postponing any new restriction on the ability of state agencies (including law enforcement) to seek records without affirmative statutory authorization will accommodate essential state activities in the interim while requiring a review of those activities in a reasonable way. An alternative solution is to identify and specify all permissible uses of health data by agencies or others under the guise of "authorized by law." This is a more difficult choice, but it would be better than abdicating responsibility as the proposed rule does. Definitions The definition of health information raises serious problems outside the treatment and payment process. Within the treatment and payment process, we can safely assume that all information about data subjects is health information. As a result, we do not encounter major line drawing problems. However, for employers or life insurers, the same assumption does not work. These non-medical record keepers routinely maintain other, non-health, information on individuals. How can they tell when personal information is health information within the meaning of the rule? Schools would present the same problem, except that the rules unfortunately and inappropriately exempt most schools from the health privacy rules altogether. In many circumstances, it will be impossible to determine reliably whether a particular item of information is health information. If a worker asks for a low salt meal in a company cafeteria, will that information require protection? Will a travel voucher for an employee contain health information after the press reports that the area the employee just returned from had an outbreak of Lassa fever? Does a request for a wheel chair for an airline passenger become medical information when collected by a company travel agent? Do measurements for workplace protective clothing have to be treated as medical information or does the answer depend on what the measurements are? Are the results of a workplace drug test health information or does the answer depends on exactly what the results are? In contexts where it is not appropriate to assume that all information is health information, the broad language "relates to the past, present, or future physical or mental health or condition of an individual" does not help. For employers, life insurers, and perhaps others, the proposed definition will create impossible problems. The most workable solution is to cover health information in the hands of schools, employers, and life insurers only when they receive identified health information from a covered entity or when they create it while providing treatment or making payment. This is an area where certainty of application is more important than broad scope of coverage. The definition of health plan excludes health care payment under property and casualty insurance. Putting aside the issue of workers' compensation, the definition creates a significant loophole for insurers who want to avoid the scope of the privacy rules in order to exploit health information for marketing or other uses unrelated to health. From the perspective of a patient, the nature of the policy is not relevant. When a casualty insurance company pays for health care, the patient will think that the company looks the same as other insurance companies. Yet the rule denies a patient privacy rights for property and casualty insurance information. Sometimes, treatment may continue while the ultimate source of payment (property policy vs. health policy) remains unknown, perhaps for months or years. Will information be subject to the privacy rule in the interim, and how will covered entities or others know? Workers' compensation is a complex subject that requires special treatment and reasonable accommodation. However, like other casualty insurance, it is not entitled to a complete exemption. The Department should not evade its responsibility to address these difficult issues by simply exempting them. If necessary, a separate and subsequent rulemaking should consider how to meet confidentiality interests of patients while allowing workers' compensation to be administered efficiently. The definition of designated record set has two fundamental problems. First, record keepers will find it impossible to determine how to apply this term under the privacy rule. Second, the definition relies upon an outmoded and discredited concept from the Privacy Act of 1974. The Privacy Protection Study Commission recommended abandoning the retrieved in fact standard in the Privacy Act of 1974 more than twenty years ago. See Personal Privacy in an Information Society at 503-504 (1977). See also my article How to Amend the Privacy Act - Part II, in 23 Access Reports (August 20, 1997). Extending this failed concept from the earliest days of privacy law to a new arena is an exceedingly poor choice. In any electronic data system, most records are retrievable. It is impractical to base a substantive requirement on a factual determination of record retrieval practices. A record keeper could find a system covered by the rule if a few people actually used some records in unanticipated ways. Imagine the discovery that would be required in a compliance investigation to determine whether a particular record system was, in fact, a designated record set. In my work with federal agencies under the Privacy Act of 1974, I consistently find a lack of understanding of the retrieved in fact standard. The Privacy Act originated in an era of paper records and mainframe computers, when it was more appropriate to distinguish between personal record systems based on administrative use. However, it is inappropriate to rely on the same standard in an era of personal computers, electronic databases, and computer networks. At some agencies, agency personnel now retrieve records that once fell entirely outside the scope of the Privacy Act, making the records unexpectedly subject to the Act. Agency compliance with the law is sometimes incomplete because of changes in administrative practices and technology. It is inevitable that a factually based standard will create identical problems in the health care community. The motivation for the definition may be to exclude some records, such as backup files, from the access and correction requirements in the rule. Simpler solutions are available. One solution would allow a covered entity to exempt duplicate records not directly used to make decisions about individuals. See, e.g., section 101(b)(5) of H.R. 52, 105th Congress. The definition of individual excludes foreign military and foreign diplomatic personnel and their dependents. The commentary offers no adequate justification for this exclusion. If it only applied to records maintained directly by the federal government, then the problems inflicted by the exclusion would fall exclusively on the federal government. But it includes care paid for by DOD, and this means providers, plans, and clearinghouses will have some patient records. From the perspective of these other record keepers, the records will likely look exactly like other patient records, except for the arbitrary exclusion from the Act's protection. As a practical matter, the records may not be treated as outside the scope of the rule, if for no other reason than it would be an impossible administrative burden. However, if any covered entity treats the records as exempt, then - contrary to the likely intention - the covered entity may conclude that it lacks legal authority to make some disclosures permitted under the proposed rule. However, the covered entity would be able to exploit the records of this sensitive class of diplomats for marketing. If someone chose to create and market a list of foreign diplomats with cancer, the Department would more readily understand that the exclusion is a poor choice. This exclusion is one of many instances where the proposed rule relies on an exclusion, exemption, or special rule for privacy matters involving federal agencies. While some governmental functions warrant special health privacy rules, the Department is too willing to allow other agencies to evade the purpose of the proposed rule with an unnecessarily broad special provision. The Department should put up more resistance to these requests from other agencies. The Department should identify the underlying problems and look for a narrow response rather than a total or broad exemption. In the case of foreign personnel, it is particularly unconscionable that the Department agreed to deny privacy rights. These records are not exempt from special protections under federal alcohol and drug abuse statutes. They are not exempt under state laws, and the records will retain any stronger protections under state laws despite the proposed rule. This will only add to the confusion of record keepers and attenuate the point of the exception. It will be impossible for record keepers to tell when the exemption actually applies or what the exemption means in practice. Further, the United States faces serious international questions about the adequacy of its privacy laws and policies. To establish a new health privacy rule that exempts a class of foreign nationals from any privacy protection may have broad, negative repercussions for HHS activities, federal government activities, and for private companies. The exclusion eviscerates any argument that the health privacy rules offer individuals adequate privacy protection within the meaning of the European Union Data Protection Directive. Excluding any foreign nationals from privacy protections will exacerbate existing tensions with the European Union and other countries. The definition of individually identifiable health information makes a good effort to reflect the complexities of determining what constitutes de-identified information. The definition and the associated discussion recognize the near impossibility of indisputably identifying a category of de-identified information. We may have reached the point where few, if any, compilations of individual-level personal data can be considered truly de-identified. So much personal data can be readily obtained from public and private sources that even small amounts of individual-level information without identifiers can often be matched with identifiable records. As the years pass and more personally identifiable data becomes available, the problem will only grow worse. The proposed solution is a step in the right direction, but it does not go far enough. The definition should be accompanied by a procedure that offers greater protection to individuals while supporting appropriate use of information that may still be identifiable, despite the removal of overt identifiers. This procedure would require a covered entity seeking to disclose de-identified data to sign a formal agreement with the recipient. The agreement would bind the recipient not to attempt - or to permit others to attempt - to re-identify any of the data. The agreement should state that is expressly for the benefit of data subjects. This type of agreement would allow an aggrieved individual to seek legal remedies against a violator. The agreement not-to-re-identify approach has the advantage that the rule proposed for entities with appropriate statistical experience might no longer be necessary. All recipients would sign the same basic agreement. The term research information unrelated to treatment is not clear. The need for the term is elusive. Frankly, I am unable to understand the point of the term and its associated substantive provision. Regular research information is subject to IRB oversight. This category of research information is apparently not. The recognition of two separate categories of research information is confusing and potentially troublesome. The failure here may be just one of explanation, but the Department has so far not met the burden of justifying its response to a problem that no one else has identified in twenty years of discussions about health confidentiality. The definition of treatment includes disease management as an included function. Disease management is not a defined term, and this creates one of the biggest loopholes in the rule. Protected health information could be disclosed to virtually anyone - including marketers and employers - under the guise of disease management. It is essential that this loophole be closed. The potential breadth of the term is evident from a definition recently adopted by the Disease Management Association of America: Disease management is a multidisciplinary, continuum-based approach to health care delivery that proactively identifies populations with, or at risk for, established medical conditions that: supports the physician/patient relationship and plan of care; emphasizes prevention of exacerbations and complications utilizing cost-effective evidence-based practice guidelines and patient empowerment strategies such as self-management education; and continuously evaluates clinical, humanistic, and economic outcomes with the goal of improving overall health. It is difficult to imagine any privacy-invasive use or disclosure of patient information that could not be justified as disease management under this definition. The definition fails to recognize that patient privacy and patient consent are relevant as limiting factors in disease management activities. I certainly do not recommend the adoption of this definition in the regulations. The Department should remember the response when the Washington Post revealed the use by Giant Food and CVS of patient information for marketing. The public reaction was intense, immediate, and negative. Although the pharmacies tried to justify the disclosures as disease management programs benefiting patients, the public would have none of it. The disclosures clearly violated patient expectations of confidentiality. The political reaction was swift as well, and pending health confidentiality bills were withdrawn and revised in an attempt to prohibit non-consensual disclosures of the type made by Giant Food and CVS. I am not arguing that all uses and disclosures for disease management should be prohibited. However, the Department should not allow any possibility that a marketer or employer will receive identifiable patient information for disease management - no matter the terms of the disclosure - without express patient notice and consent. Marketers and employers may be the primary focus of concern. However, disease management activities could theoretically allow disclosures of patient data to friends, neighbors, law enforcement agencies, fundraisers, or anyone else who might be able to remind a patient to take a drug, renew a prescription, or avoid injury. I have several suggestions for remedying the problem. First, disclosures for disease management to marketers and employers should be flatly prohibited without affirmative and explicit patient notice and consent. Under no circumstances should a patient be able to authorize a disclosure to a marketer or employer for disease management unless the authorization form expressly so states. A generic authorization permitting disclosures for disease management should not be sufficient to justify disclosure to an employer or marketer. Second, the rule should permit uses (but not disclosures) of patient information for disease management purposes as long as a health plan or provider directly conducts the disease management activity. However, if a covered entity conducts disease management through a business partner or external entity, explicit patient notice and consent should be required. Notice and consent should be required even if the same activity conducted directly by the covered entity does not require patient consent. Third, the Department should adopt a reasonable but narrow definition of disease management to prevent it from providing justification for any disclosure that a covered entity might care to make. At a minimum, the disclosure should be based on a medical judgment by a medical professional that specific tasks or goals tied to specific outcomes will benefit a specific individual or a discrete and identifiable class of patients. Fourth, if a covered entity receives a payment or other compensation from a third party to support a disease management program, the specific identity of the real party in interest providing the incentive and the amount should be disclosed to patients. Notice should be required even if a disease management program does not involve a disclosure of patient data to the third party providing the incentive. Finally, a patient should be able to decline participation in disease management activities, and providers and health plans should be required to honor a patient's request. The right-to-restrict policy in the current rules does not give patients the absolute right to prevent disclosures for disease management. End of Part 1 of 3 From owner-med-privacy@venice.essential.org Wed Dec 29 14:49:44 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 4493D21B4D for ; Wed, 29 Dec 1999 14:49:44 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27653 for ; Wed, 29 Dec 1999 14:49:39 -0500 (EST) Message-ID: <386A6590.F17D6F74@cais.com> Date: Wed, 29 Dec 1999 14:48:32 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 3 of 4 Part 2 of my HIPAA privacy comments start below the signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 2 of 3 Minimum Necessary I support the minimum necessary standard for disclosures despite the uncertainties involved. However, the Department needs to do a better job of explaining how the requirement will operate in different circumstances. Record keepers need more guidance so that they will understand how to apply the rule when disclosing records for research, public health, law enforcement, and other routine circumstances. The final rule should include operational examples that address differences between disclosing paper and electronic records, the role of medical professionals in making decisions, and how the rule might be applied in a different way over time as technology changes. More explanation is crucial because the result of too much uncertainty may be more disclosure rather than less. If entities decide that they are at risk for making disclosures that exceed the minimum necessary, they may insist on broader disclosure authority to minimize that risk. For example, if asked to disclose records necessary for a determination of disability, a provider may refuse to decide what is necessary to the determination. The provider may instead insist on a disclosure authorization for the entire record. That protects the provider against violating the minimum necessary standard, but it undermines protections for patients. The Department must pay more attention to the allocation of risk and liability under this provision. In at least some instances, a cautious record keeper may just refuse to provide records. Guidance will help to avoid unwanted results. We have considerable experience under the Privacy Act of 1974 documenting that it takes time for record keepers to become familiar with new disclosure restrictions. Guidance will shorten the time required for record keepers to feel comfortable, but it will not eliminate the uncertainty immediately. However, the likelihood of uncertainty is not sufficient reason to eliminate the minimum necessary standard altogether. It is a fundamental requirement for any health privacy rule. The proposed rule states that the minimum necessary standard does not apply to uses or disclosures mandated by law. This is curious at best. When a law mandates a disclosure, a covered entity should disclose no more than the specific information required. For example, if a policeman may ask if a patient is present in a hospital, the hospital should disclose only the location information and not the diagnosis or other details. The statement that the minimum necessary standard does not apply gives the wrong impression. The rule should state that legally mandated disclosures are bound by and may not exceed the statutory mandate. Record keepers should be directed not to turn over entire patient records in response to a legally mandated request. For example, for mandatory STD reporting, disclosures should be limited to STD information and should not extend to other diagnostic or test information or to provider notes. Right to Restrict The choice made by the rule to allow disclosures without authorization for payment and treatment is a compromise that only works if the small percentage of patients who want additional restrictions on routine disclosures can be reasonably accommodated. For more on the shortcomings of requiring patient consent for treatment and payment, see the chapter I wrote on Personal, Legislative, and Technical Privacy Choices: The Case of Health Privacy Reform in the United States in Visions of Privacy: Policy Choices for the Digital Age (Bennett & Grant, eds., 1999, Univ. of Toronto Press). Giving individuals a realistic opportunity to seek restrictions on payment and treatment disclosures authorized by the rule is crucial. However, the proposed rule does not strike an adequate balance. A health plan or provider might simply refuse all patient requests for additional restrictions because of a plan's or provider's laziness or administrative convenience. The commentary goes too far in telling covered entities that they can decline to even consider requests. For example, if a patient decides to pay for health care out-of-pocket rather than use insurance coverage, the patient will accomplish nothing if the provider refuses to conceal the treatment from the insurance company. I recognize that contractual or other circumstances may justify a refusal of a patient request from time to time. Nevertheless, patients still need more consideration of their requests. The solution is to require that covered entities negotiate with patients over disclosure restrictions in good faith and that they must provide a written reason for rejecting the request of a patient. Fairer negotiations and clearer explanations will provide those patients whose requests cannot reasonably be accommodated with an opportunity to make other arrangements for their health care. Covered entities should also be required to keep track of how they handle patient requests for restrictions so that HHS can review the degree of good faith shown in handling requests. Without a record-keeping requirement, those at HHS charged with enforcement may be unable to determine if an entity treats patients' requests fairly and honorably. Business Partners Covered entities disclose protected health information to many different business partners. Written contracts are appropriate for many of these disclosures in the way that the rule provides. However, the same procedure is not appropriate or practical for all relationships. For example, patients records may technically be "disclosed" to companies providing telephone service, delivery service (the law protects Postal Service mail against opening for inspection, but courier services have no similar legal restrictions), Internet service, credit card support, equipment repair, financial audits, and legal service. Records may even be "disclosed" to moving companies hired to haul boxes from one location to another. Telling each covered entity to negotiate an agreement with every companies providing routine, standard services is unnecessary at best and terribly expensive at worst. The Department should identify as many standard disclosures as possible and should develop language that meets the requirements and intent of the privacy rule for service providers to incorporate in standard contracts. This will avoid the need for tens of thousands of individual negotiations. The idea is similar to the proposal to exempt disclosures for consultations for treatment. A similar approach for selected other disclosures will be the most efficient way of solving common problems and will reduce the costs of compliance significantly. It will also benefit contractors who will not find it necessary to repeat identical negotiations with their subcontractors. Deceased Persons I support the decision to place a two-year limit on the application of confidentiality principles after death. This policy choice makes a reasonable balancing of the complex interests that arise. Individual Authorization The collection of authorizations for marketing uses and disclosures is fraught with potential abuses. In the past, disclosure of patient information for marketing purposes was unethical. The omnivorous demands of marketers combined with the allure of profits for record keepers and the growth of health plans that operate without any of traditional provider ethical constraints have significantly weakened disclosure standards to the detriment of patients. An unfortunate consequence of standardizing procedures for authorizations may be that demands on patients for marketing authorizations will increase as covered entities learn how to pressure patients into signing authorizations. The Department should use the rule to stop the trend toward increased trafficking by marketers in patient data. Most patients strongly object to marketing activities based on identifiable patient data, but sick or inattentive individuals may not be able to understand or resist pressure from health plans or others to sign authorizations for marketing. One easy change is to expressly prohibit any clearinghouse from seeking patient authorization for marketing disclosures. I doubt that any clearinghouse would object. For plans and providers, I offer several ideas. First, a covered entity should be prohibited from seeking consent from patients for any marketing disclosures that benefit a third party. Third parties that want patient information for marketing should be forced to obtain the authorizations directly from patients and without the assistance or intervention of a covered entity. The purpose is to remove any incentive that a plan or provider might have to do business with marketers. Note that this suggestion applies only to disclosures and not to uses. A covered entity that seeks to market its own products or services directly to patients should be able to do so with notice and consent. However, any use that involves a disclosure of any type to a third party should not be permitted. Further, the marketing use must be for a service or product provided directly by the covered entity and not by any affiliated company. This type of restriction is necessary to prevent consumer marketing companies or others from purchasing health care providers just for the ability to access patient records for marketing purposes. This is not as far-fetched an idea as it might seem. The merger of Citibank and Travelers Corporation was justified in large measure by the value of cross marketing. Second, it is not sufficient for an authorization to reveal that the covered entity requesting the authorization will gain financially from the disclosure. The identity of the person providing the financial incentive should be included on the authorization, along with the amount of the financial gain. If these requirements inhibit the marketing uses of identifiable health information, that would be appropriate. It was not the intent of Congress nor should it be the purpose of the Department to make it easier for marketers to obtain patient information. Third, the rule should require full public disclosure of all marketing arrangements between covered entities and others. The details should be disclosed on the website of the covered entity or available upon the request of any person. If disclosure inhibits a covered entity from seeking authorizations for marketing, so much the better. No one should be permitted to hide a marketing campaign based on identifiable patient information behind a business confidentiality screen. Here too, the goal should be to discourage marketing using identifiable patient information. Fourth, the rule should provide that all authorizations for marketing expire in six months. A short, fixed period for these authorizations is essential so that a casual agreement by a patient in a weak or confused moment will not result in a lifetime of marketing disclosures by an avaricious covered entity. Additionally, accounting for marketing disclosures should include not only the person who received the information but the actual party in interest as well. For example, if a pharmacy disclosed patient data to a lettershop for a marketing campaign funded by a drug manufacturer, the accounting should identify both the lettershop and the manufacturer. Telling the patient that the XYZ Lettershop received the data is not as meaningful as telling the patient that the ABC Pharmaceutical Company benefited from the disclosure. The proposed rule states that a covered entity may not condition treatment or payment on a patient's authorization. This is a step in the right direction, but it does not go far enough. The rule does not prohibit the use of financial incentives to induce a patient to sign an authorization. For example, a health plan could offer a discount to patients who sign an authorization. If allowed, financial incentives could be used unfairly. For example, a health plan could establish a high copayment but reduce it drastically for patients who sign an authorization. This conduct should be prohibited. The rule does not require the use of a contract between a provider and a pharmaceutical company, but it requested comment on the idea. In my view, a contract that identifies the patient as a third party beneficiary is valuable. At best, the Department's enforcement will be able to identify, investigate, and sanction only a small fraction of abuses. By giving patients enforcement rights as third party beneficiaries under contracts, patients will be able to supplement the work of the Department by seeking enforcement of their own rights in court. The rule should not only require contracts with third party beneficiary clauses for arrangements between providers and pharmaceutical companies, but it should require such contracts for all allowable arrangements between covered entities and anyone seeking information for a marketing purpose. The rule should provide that all authorizations be dated on the day that they are signed. No one should be allowed to collect an authorization to become valid on a date in the future to be designated by the person seeking the authorization. There have been abuses of the dating of disclosure authorizations in other circumstances. The provision in section 164.508(a)(2)(iv) that prohibits a covered entity from seeking an authorization covering treatment, payment, or health care operations needs to be rethought. At times, a patient or provider may need a signed consent to comply with a state or foreign law, or in other special circumstances. In other cases, a provider (e.g., a psychiatrist) that shares a patient's concern about confidentiality may affirmatively seek an authorization narrowing the provider's ability to disclose information. The proposed rule prevents that from happening. I suggest amending the provision to prevent a provider from routinely requiring a patient authorization for treatment, payment, or oversight that permits more disclosures than allowed by the rule. If a provider wants either a narrower authorization or an authorization identical to the rule, the patient should be allowed to agree. Health Oversight The definition of health oversight activities includes almost any activity pertaining to government benefit programs. The rule should make it clear that government benefit programs requiring health information about applicants need authorizations. The authority to use health information in the oversight process should not be construed to include the initial collection of benefit information for routine health or welfare programs. Applicants should know when an eligibility decision requires health information. They should be asked to consent. Consent should be the default method for obtaining access to records. The commentary says that the regulation allowing a health oversight agency to obtain health information does not create any new right of access to records. That point is absent from the rule. It is crucial to make this point clearly in the body of the rule. Disclosures for health oversight can be a significant invasion of personal privacy. When they are necessary to serve a broader societal interest, patients deserve better protection. Some legislative proposals introduced in recent years include a policy that prevents information disclosed for a purpose such as health oversight from use in any administrative, civil, or criminal action or investigation against the subject of the record unless the action or investigation arises out of and relates to receipt of or payment for health care. It would be appropriate for the Department to include this policy in its rule. Admittedly, there is some doubt about the authority of the Secretary to impose this type of patient protection through the rule to all oversight agencies. However, the Secretary has more than enough power to order all components of the Department to follow the policy. Accordingly, I recommend that the Secretary issue an administrative order prohibiting all Department components from using any patient records obtained for oversight activities in any administrative, civil, or criminal action or investigation against the subject of the record. I would allow an exception if the action or investigation arises out of and relates to receipt of or payment for health care. The same order should cover law enforcement, public health, and other non-consensual disclosures. An administrative order of this type could be issued immediately and without waiting for the privacy rule to take effect. Further, the entire federal government should operate under these restrictions on reuse of information even if the legal authority to mandate the restrictions on others does not exist. The Secretary should seek the issuance of an executive order or similar presidential document to impose the same restrictions government-wide. The federal government should take the lead in implementing patient protections and should provide an example for the states. The federal government was a leader, for example, in using Miranda warnings in law enforcement investigations. Federal administrative action might encourage states to adopt legislation limiting their own agencies from using information disclosed for a specific purpose in another way that undermines the privacy interest of patients. Judicial and Administrative Proceedings The proposed rule permits a covered entity to disclose protected health information that relates to a party whose health condition is at issue in a proceeding and where the disclosure is pursuant to lawful process such as a discovery order. The rule assumes that because the subject of the record is a party to the proceeding, the subject will have notice of discovery orders. This is not always true. The rule needs to be modified to require actual notice to the record subject or to the subject's lawyer. Further, access through this method should be limited to instances in which the record subject placed his or her medical condition or history at issue. If another party to litigation raised a medical question, then the party seeking the record should be required to obtain a court order rather than a routine discovery request. The rule should establish a process that offers appropriate assurance to record keepers as well as adequate notice to the subject of the record. A person seeking protected health information through discovery should be required to notify the subject or the subject's attorney of the request for information. The person seeking the information should be required to provide the covered entity holding the information with a signed document attesting 1) that the subject of the record is a party to the litigation; 2) that the individual has placed his or her medical condition or history in issue; 3) the date on which the subject of the record received notice of the request; and 4) that ten days have passed after the notice and the subject of the record has not objected. See section 118 of H.R. 52, 105th Congress. This procedure will assure that the subject of protected health information receives actual notice of a discovery request and that the subject can object in a timely fashion. Just because litigation involves an individual's medical condition, the individual's entire medical file will not necessarily be relevant. If litigation involves a broken leg, the disclosure of the plaintiff's psychiatric records may not be relevant. The general rule limiting disclosures to the minimum amount of information necessary to accomplish the purpose should be fully applicable. Patients can use the rule to contest the scope of discovery requests. Of course, if a dispute arises over a discovery disclosure, the notice procedure allows the tribunal considering the matter to resolve it without any involvement on the part of the covered entity. Law Enforcement The law enforcement access provision has many shortcomings, and I will leave it to others to raise broader objections and to discuss the role that courts should play in approving law enforcement access. I will only comment on a few aspects. The proposal allows any law enforcement agent to obtain health information without requiring a written request. The commentary is significantly misleading in suggesting that a writing is required. The rule itself makes it clear that the police can receive patient data simply by flashing a badge and making an oral request. The rule should require that any routine request for information from the police be in writing and signed by a supervisory official. The proposed three-part test is mildly useful and should be retained. However, unless law enforcement agencies make their determinations in a written and signed document, the requirement will be an ineffective barrier to inappropriate access. An oral representation that the request qualifies under the test has little significance. Law enforcement agencies should be obliged to state with some precision the information that they require. If the police need only the location of a patient, they should not obtain access to the complete patient record. The police must provide enough information about their needs to allow application of the minimum purpose rule. The commentary says that substance abuse records continue to be covered by 42 U.S.C. 290dd-2. That statement belongs clearly in the rule itself or else it will create unnecessary confusion. The rule governing disclosures for intelligence and national security activities needs reconsideration. As written, the provision allows a large number of employees of many different agencies to make requests for health records. The rule requires no writing or involvement by supervisory personnel of the requesting agency. The rule offers no protections to patients. It is far from apparent why any personnel of the National Reconnaissance Office or the other agencies identified in the law as part of the intelligence community need the ability to seek health records. Nothing in the Privacy Act of 1974 allows such broad and unrestricted access by intelligence agencies to health records or even to less sensitive records about individuals. The intelligence community needs to make its case for access to federally maintained health records in a public way. The rule should be revised to permit disclosures only for those specific needs. Further, all requests for access should be accompanied by a written request signed by a supervisory official of the agency. The same is true for the Secret Service. Its need for information in support of protective functions should be met under the emergency circumstances provision of the rule. The disclosure by a physician or psychiatrist of patient information to the Secret Service without a serious and imminent threat is inappropriate and unethical. The Secret Service has not justified the need for nonconsensual disclosure in other circumstances. Governmental Health Data Systems A recent ACLU report documents the widespread use of health data by government agencies. See ACLU of Wisconsin Data Privacy Project, In the Balance: State Government and Medical Records Privacy (May 11, 1998). The report shows that many state agencies gather or use medical information for different purposes. If the proposed rule simply allows the continuation of any collection of identifiable health information by any state agency, then the rule will accomplish little to protect patient privacy. The commentary tries to make a case for permitting open-ended authority for the collection of health information for health data systems with a variety of functions. I do not oppose allowing legitimate health data systems to obtain patient information under defined circumstances when information in the data system has adequate protection. The rule, however, imposes no procedural or substantive requirements on disclosures to health data systems. Indeed, the rule allows disclosure of health data for policy, planning, regulatory, or management functions entirely unrelated to health care. The police could qualify to obtain all identifiable patient data for a database designed to help the police make decisions about management of the use of police resources near a health care facility. Requiring verification of identity, as provided in section 164.518(c) is appropriate, but the suggestion that verification presents a significant barrier to access is wrong. The standard for access is so broad that dozens of federal and state agencies with no direct health responsibilities could legitimately obtain information. Virtually any government agency in the United States could use this provision to seek health records unless expressly prohibited by law from doing so. Under the verification rule, agency personnel need only show an identification card and orally state that they qualify for access. The rule needs several changes to address access by agencies that do not have express statutory authority to obtain patient data. First, an agency seeking data should be required to inform the public of its request. Many requests will be routine and continuing so a public notice requirement will not be onerous. The notice should allow for public comment before any actual disclosures. Second, if data collected for a governmental health data system can be used in any way against a patient, then the public notice should be required to explain all of the possible consequences. Third, the requesting agency should be required to make a written request, state the reason for the request, and identify all planned uses of the information. Fourth, the rule should require the removal of identifiers at the earliest opportunity consistent with the purpose of access. Finally, the purposes for authorized disclosure need to be much more carefully defined and limited to health care functions. This provision should not create a backdoor excuse for access by police, schools, libraries, or other agencies that have no need for individual level or identifiable patient data. Directory Information I support disclosures of directory information with an opt-out by a patient, except in circumstances where the information will reveal information about the patient's condition. The proposed rule is far too impractical. The rule requires agreement by patients. Lawyers are likely to interpret this to require a writing. How else can a covered entity document patient approval when a dispute arises? The commentary says that verbal agreement is adequate. The rule itself says no such thing. Even if it did, providers would still face the practical requirement of documenting that the patient was asked. A failure to check a box on an admission form could open providers to liability. Allowing verbal agreement is impractical in other ways. I recently spent an hour in an emergency room, where dozens of patients awaited care. When a physician was ready for the next patient, a nurse entered the waiting room and called the name of the patient. The presence of the patient in an emergency room is directory information, and the announcement is a disclosure. If a patient objected to the release of directory information, then how would the nurse find the next patient? When disclosing directory information, privacy must yield to the practicalities of the world. Telling emergency room personnel that they must ask each patient for permission to call his or her name will only create burdens and unnecessary liability for providers. The same will be true in any physician's office. It is sufficient to allow a patient with a special concern about directory information to step forward with that concern and make a special arrangement. The Department should reexamine the lesson from the Maine health privacy law that the legislature withdrew and revised because it imposed impractical limitations on the operations of the health care system. The public will not tolerate a privacy law that is not practical and that imposes unreasonable burdens on patients and their families. End of Part 2 From owner-med-privacy@venice.essential.org Wed Dec 29 14:51:34 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 5CA4221B4F for ; Wed, 29 Dec 1999 14:51:34 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27805 for ; Wed, 29 Dec 1999 14:51:27 -0500 (EST) Message-ID: <386A65FC.5A023291@cais.com> Date: Wed, 29 Dec 1999 14:50:20 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 4 of 4 Part 3 (the last part) of my comments on the HIPAA privacy rules starts below the signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 3 of 3 Banking and Payment Processes The proposed rule addresses a problem, but the rule is too broad. Disclosures to a bank or other financial institution without express patient consent should only be permitted after a patient offers a check, credit card, or other payment method to the provider. The presentation of a payment method is the moral equivalent of consent for disclosures necessary to complete the transaction. The rule should expressly make payment disclosures contingent on a prior patient action. Presentation of a check or credit card or a standing authorization of a payment method would suffice. However, it should be improper to assume that a patient who previously paid by credit card intended to continue that payment method without evidence supporting the intention. No provider should be able to query banks or other institutions looking for someone who has funds to pay a bill. Further, the provision should expressly exclude bill collectors from receiving information. Bill collectors should be business partners and fully subject to the rule because of their relationship with providers. Disclosures to credit bureaus by covered entities should require patient consent unless a limited disclosure reveals no protected health information at all. However, a credit card company should be able to disclose an unpaid bill to a credit bureau under applicable law even if the bill covers health care services. A disclosure to the credit bureau would not normally identify the nature of the transaction that gave rise to the debt, unless the credit card is exclusively for health expenses. Finally, the rule should expressly ban the disclosure to financial institutions of any diagnostic information or other detailed treatment information. If questions arise about a transaction that might justify any detailed disclosure, then patient involvement and express consent should be required. The suggestion in the commentary that disclosures be limited to specific data elements is entirely appropriate, but the rule should expressly list the elements. Research I support access to records by researchers without patient consent under the general terms suggested in the proposed rule. I support researcher access even though the research community has done a consistently poor job of explaining to the public why it needs identifiable patient records without consent. I believe that the public interest justifies disclosures under proper supervision by IRBs. The proposed additions to the Common Rule are reasonable. The Department should ignore the mewing of some researchers who do not want to accept any additional responsibility for the protection of the records that they need. Researchers are so convinced that their work is in the public interest that they have not bothered to try to make the case publicly. It would not take much of an effort to arouse public concern about researcher access and to overturn the generally open access to records that the research community has been able to maintain for many years. Complaints that a new privacy rule will make it harder to convince record keepers to share records with researchers should be ignored as well. No matter what the rule provides, record keepers will inevitably be more wary about disclosing records in the future. Some new additional limitations and refusals are inevitable. This would be true even if the rule allows unrestricted access for research or grants record keepers full immunity from liability for researcher disclosures. It would also be true even if the Department withdraws the rule and no legislation ever passes. Greater public concern about privacy has permanently altered the environment for disclosure of personal information. In any event, researchers propose more good research than can possibly be funded - even with increased budgets - so that if some projects become impossible because of changing attitudes on information sharing, other good research will take its place and benefit the public just as much. I have several suggestions for Department actions on research, not all of which necessarily call for changes in the proposed rule. If changing the rule is not appropriate to satisfy these suggestions, the Department should use other existing authority to accomplish the objective. First, IRB members should be required to undergo privacy training. This can be accomplished in a variety of low-cost, administratively simple ways. Privacy training should be mandatory for IRB chairs can co-chairs. Other IRB members should have to undergo training on a rotating and periodic basis (e.g., every two years). Second, IRBs should be required to have at least one person with professional training or experience in either privacy or security. Third, IRBs should be required to maintain websites and to publicly post information about proposed or approved projects. Fourth, the Department asked for comment about the possibility of using contracts with covered entities regarding access to and use of patient records. This is an idea worth exploring, but it is not something that should be generally required at this time. Instead, the Department should accept the initial burden of testing the idea by imposing a requirement for contracts as a condition of access to its own records. This test would provide an opportunity to see how the idea works in an environment where most of the costs of the contracting itself would be borne by the Department. A modest test would provide a better assessment of the practicality and administrative consequences of mandating contracts more generally. Any contracts should be written to treat a record subject as a third party beneficiary so that the subject could sue for breaches of privacy. Fifth, some in the research community routinely state in public that there have been no breaches of confidentiality by researchers. No one has attempted to study this issue, and I recommend that the Department take steps to collect data. Based on anecdotal evidence, it appears that some examples can be found readily. If initial findings warrant further action, the Department might consider initiating a full investigation. We need to know the scope of researcher misuse of patient information. The proposed rule about individual access to records of clinical trials also requires some adjustment. The rule limits access as long as a trial is still in progress. I do not believe that any limitation on patient access is appropriate. Patients have rights of access today under the Privacy Act and under some state laws. No one has offered evidence of a single clinical trial that was unduly disrupted by patient access. Researchers can explain the need for double-blind studies to participants, and many will agree to defer access. Those who do not understand or agree can always can drop out of a trial and disrupt it that way. Further, the limitation will only motivate patients to file malpractice suits against researchers to obtain access. Also, because state laws often provide for patient access, the clinical trial exception is only likely to be available occasionally. Some trials last for decades, and this rule will make it impossible for patients to obtain their records although they are not participating in the trial anymore. The restriction on access could still be in place years after a patient died. If the rule retains any limitation on access, it should nevertheless require access if a patient is no longer a participant. In addition, if a patient seeks access to information for medical reasons relating to treatment, access should be required. It would be unethical and outrageous to deny a patient access to records if the patient has received drugs or treatment that negatively affected his or her health. It is my understanding that these disclosures are often required as part of the approval process for clinical trials. The commentary suggests later that disclosures for treatment should be permitted where appropriate. This is a lovely sentiment, but it is meaningless unless stated as a mandatory exception in the rule itself. Finally, the clinical trial exception should make it clear that the exception has no bearing on patient access in litigation. Next-of Kin The rule's next-of-kin provision is another example of a policy that is impractical. I recommend that next-of-kin disclosures be allowed for oral disclosures of protection health information about an individual to the next-of-kin or to a person with whom the individual has a close personal relationship if (a) the entity has no reason to believe that the individual would consider the information to be especially sensitive; (b) the individual has not previously objected; (c) the disclosure is consistent with good medical or other professional practice; and (d) the disclosure is limited to information about current health care treatment. See, e.g., section 114 of H.R. 52, 105th Congress. Requiring verbal agreement by patients will not work well in the real world. Lawyers for covered entities are still likely to insist on a writing to prove that the entity asked and that the patient agreed. Without documentary evidence, an entity faces the prospect of liability for any disclosure just on procedural grounds. It is easy to envision circumstances in which the failure to obtain verbal consent will create real world disruptions. The commentary seeks to deal with some (e.g., disclosures by a pharmacist), but the attempt to create exceptions in this fashion is directly inconsistent with the stated rule. If the Department can tolerate these "loopholes", it should do so more generally. The overwhelming impracticality of the requirement for verbal agreements will increase cost, create enormous disruptions and impositions, and ultimately undermine the entire privacy effort. Once again, I refer to the recent Maine example where the legislature withdrew a rule that violated the expectations of patients and unduly burdened patients and their families. See also the discussion of the next-of-kin issue in Committee on Government Operations, Health Security Act, H.R. Rep. No 103-601 Part 5, 103d Congress at 116 (report to accompany H.R. 3600) (1994). Specialized Classes (Military, Intelligence Community, Veterans Affairs, and State Department) The special rules provided in this section are too broad, except the rule for the Department of Veterans Affairs. The VA exception is the only one that seems narrow and specifically responsive to an apparent need. In the other cases, the government may have some legitimate needs for access to health records for individuals in the military and intelligence community, and, less likely, the Foreign Service. However, the permitted disclosures are too broad and do not include adequate procedural protections for patients. In most cases, the consent of the record subject should be sought as a first resort, except in emergency circumstances. Only where there is a demonstrable reason that consent is inappropriate should the rule authorize other methods of access. The requirement for publication of a notice by the Armed Forces is a step in the right direction, although it does not go far enough by requiring public comment. At a minimum, intelligence agencies and the State Department should be required to publish a similar rule defining the scope and circumstances of access to health records. The Foreign Service disclosures are especially troublesome. I cannot imagine why the State Department needs to obtain health records of Foreign Service members or of family members of those who may serve abroad without any notice or consent. Exceptions to consent because of the laziness of program administrators should never be granted. The State Department has no comparable authority today to obtain health records without consent. If the State Department's current inability to obtain records without consent creates insurmountable difficulties, the case has not been presented publicly. Consent should be the preferred and only method for access for Foreign Service disclosures. The same policy should apply to family members of employees in the intelligence community. If consent for necessary disclosures cannot be obtained, the proper remedy is to deny the foreign assignment. Obtaining information without consent is inappropriate, and it will likely conflict with state laws and policies on confidentiality. Because stronger state laws will continue to apply, the best that this rule could accomplish is to authorize requesting disclosures in some states but not others. Regardless, it is difficult to envision circumstances that would prompt a physician to disclose patient records to the State Department. Rights of Individuals Any covered entity that maintains a website for public use should be required to post its current notice of information practices on the web for public inspection. If an entity does not maintain a website, the public posting rule should not apply until the covered entity otherwise establishes a website. The rule proposes to allow a covered entity to change its notice any time. This is a difficult issue, and the rule takes a practical position. However, the Department should consider efficient ways to make covered entities more accountable for their privacy policies and changes to privacy notices. First, a covered entity should be required to maintain for public inspection a log of all past notices with changes highlighted. Second, if a covered entity maintains a website for use by patients or by the public, it should be required to put a log of all notices and changes on the website. Public disclosure of changes will provide some degree of accountability by inhibiting entities from making unreasonable or unnecessary changes. Third, covered entities that have Internet capabilities should be required to establish listservs for sending email notification of any change to the standard patient notice. Snail mail notices would probably be too expensive to justify. Email notices would be nearly cost-free. Anyone should be able to subscribe to the listserv at no cost. A covered entity affirmatively required to notify patients and, perhaps, the local newspaper, may think twice about making a change that would undermine patient privacy interests. Access for Inspection or Copying The rule permits a covered entity to deny access when a disclosure would be reasonably likely to endanger life or physical safety of the individual or another person. I disagree with the policy, at least in so far as it permits the withholding of information from a patient, because the patient would be placed in danger. The circumstances that would trigger this type of denial are so unlikely that the exception is not worth keeping. There is no evidence from experience with the Privacy Act of 1974 or state laws or policies regarding patient access that this exception is justified. Patients should be able to obtain access to their own records without any concern about the consequences to themselves. Regardless, it is a mockery of informed consent that a patient can authorize the disclosure of a record but cannot see the record. By allowing a covered entity to deny access on the basis that disclosure will harm the subject of the record (no matter the standard), the rule allows for a complex and expensive administrative process. Record keepers may simply refuse all requests until the provider who created the record determines in writing that disclosure will not cause harm. An insurer or health plan that is not a provider could use this excuse to delay or deny all patients with access. Providers who are most capable of making the determination may have no incentive to do so, and they may simply ignore or delay responding to requests from covered entities for opinions. The result will be that any covered entity can use potential harm to the patient as an excuse for not complying with an access request. The availability of procedural denials and delays creates an opportunity for covered entities to deny patients their rights. If retained, the exception should include these safeguards: 1) the exception should be considered to be permanently waived if not properly invoked within thirty days; 2) the rule should expressly provide that the exception cannot be used to withhold an entire record; 3) covered entities should be required to use the exception in good faith; 4) the burden of justifying the exception should expressly belong to the record keeper, and the record keeper should be expressly prohibited from asking the record subject to obtain approval from previous providers; and 5) all determinations of harm must be made by health professionals who must be identified by name if an individual is denied access to a record on the basis of a finding of harm. By creating an exception that requires record keepers to exercise judgment, the rule creates an unnecessary liability. Covered entities that receive requests will worry that they will be liable if a disclosure results in harm, no matter how unlikely it may be. A rule that did not allow for an exception based on harm to the record subject would not present the same concern about liability. The result would be a simpler administrative process, more ready patient access, and less stress for covered entities. The rule permits a covered entity to charge a reasonable, cost-based fee for copying. I do not object to permitting a fee, but the rule should be more specific. We have enough experience from the early days of the Freedom of Information Act to know that a loosely drafted fee schedule will result in high fees that impede access to records. A fee that is three times the direct and indirect cost may qualify as "cost-based" and still be excessive. I suggest that the fee be limited so that it does not exceed the lowest standard charge imposed by the covered entity for providing copies in other circumstances. In the alternative, the fee should be limited to direct costs of copying under a published fee schedule. Accounting of Disclosures The rule does not require disclosure to the record subject of any accounting records for disclosures for treatment, payment, and health care operations. This is a curious and mistaken choice. If audit trails of disclosures for treatment, payment, and health care operations exist, then record subjects should have the right to see the audit trails. Some institutions already maintain complete audit trails, and there is no reason to deny record subjects access to the trials when they exist. Whether audit trails are valuable enough to require for all disclosures is a more complex decision. Routine activities for a single hospitalized patient may result in dozens or even hundreds of audit trails a day. An enormous volume of records would be created if the rule required recording all accesses. On the other hand, audit trails have great potential for preventing abuse of records or for identifying miscreants. Because most abuses are the result of activity by insiders, excluding disclosures for treatment, payment, and health care operations from an audit trail requirement would destroy the deterrent value of the audit trails. The rule should not discourage institutions from maintaining full audit trails. However, when the audit trails exist, record subjects should have access to them. Audit trails for paper records are too expensive to require. Similarly, disclosures of information between providers through personal communications would also be expensive and cumbersome to record in an audit trail. However, when access to records comes through a computer, maintaining an audit trail is simple because it can be accomplished automatically. I recommend that the rule require audit trails for treatment, payment, and oversight (as well as all other disclosures) for computer systems. The requirement should be prospective so that it only applies to new computer systems placed in service at some time in the future. If record keepers have sufficient notice of the requirement, it will be relatively easy to include an audit trail capability at little additional cost. The rule allows an exclusion from the audit trail requirement for law enforcement or health oversight disclosures on written request. Under this rule, it will be routine for law enforcement and oversight agencies to seek exclusion from accounting every time they request a health record. Police or fraud investigators will enter a hospital, wave a badge, and offer a 27th generation photocopy of a boilerplate demand for accounting exclusion. This should not be acceptable. If there is an adequate reason for exclusion, the rule should require a court order. Obtaining a court order will establish a sufficiently high procedural barrier so that exclusions will not be sought casually. In the alternative, if a written request for exclusion is acceptable, the request should be dated, signed by supervisory official, and contain a certification that the official is personally familiar with the purpose of the request and the justification for exclusion from accounting. It would be better if the rule required that the entire request for exclusion be hand written by the supervisory official. Amendment or Correction The rule permits a covered entity to refuse a request for correction if it did not create the information at issue. This limitation makes the amendment process a mockery. For example, many records at insurance companies will not be correctable because insurance company records mostly consist of claims from providers. The insurance company can refuse most requests for correction on strictly procedural grounds. At hospitals, incorrect records created by providers long-since dead or by health plans no longer in operation could remain uncorrected. ("We recognize that you contend your child is a male, but the record we received from your health plan says that the child is a female, and we don't have to consider your request for a correction.") Lazy administrators may simply pass the buck to someone else, who may deny creating or disclosing the record, who may just say that an old record cannot be located, or who may simply ignore a request that is not about a current patient. The proposed rule for correcting a record may force a patient back through a trail of record keepers that extends for decades. It will be an impossible challenge. Even worse, the rule actually provides a defense to a hospital that does not want to correct a record that came from another source. Ethically, a provider would have an obligation to make sure that a questioned record is accurate. Under the rule, not only does a provider have no such obligation, it has a defense should it choose to deny a request for correction. ("The Secretary said that we don't even have to consider your request for correction.") Consider the following scenario: An insurance company denies the claim of John Jones, Jr., for payment for an appendectomy on the grounds that he had an appendectomy last year. Jones says that it was his father who had an appendectomy last year. The insurance company can refuse to consider the request for correction because it received the information from the hospital. The hospital says that its records are correct and that the insurance company made the mistake. John Jones has no remedy under the rule, and the insurance company has a procedural excuse for refusing to correct the record and for denying the claim. If a covered entity uses health information to make decisions about an individual, it must be required to consider in good faith any request for correction or amendment. The proposed rule is perverse in that it establishes a policy that allows a covered entity to use information to affect the rights, benefits, or treatment of an individual but it does not require the entity to even consider a request for amendment in some circumstances. It is not necessary to require a covered entity to change a record that it did not create in all circumstances, but the covered entity must be required to consider the request in good faith if it is using the information to make decisions about the record subject. If requiring some record keepers to consider correction requests makes no sense (e.g., clearinghouses), then exempt those record keepers from the rule. The current exemption is the wrong way to solve the problem. ##### From owner-med-privacy@venice.essential.org Thu Dec 30 16:43:09 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id ED3B521B08 for ; Thu, 30 Dec 1999 16:43:05 -0500 (EST) Received: from ix.netcom.com (user-2ini8mg.dialup.mindspring.com [165.121.34.208]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id QAA16137; Thu, 30 Dec 1999 16:43:00 -0500 (EST) Message-ID: <386BD310.9623F42C@ix.netcom.com> Date: Thu, 30 Dec 1999 13:48:05 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------ECFB3A3ADCE2E6FBCEC0005D" Subject: [Med-privacy] Surgeon General's Report This is a multi-part message in MIME format. --------------ECFB3A3ADCE2E6FBCEC0005D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable > http://www.medscape.com/Medscape/psychiatry/journal/1999/v04.n06/mh1221= =2Ekenn/mh1221.kenn-02.html > = > ---------------------------------------------------------------------= --- > First Surgeon General's Report on Mental Health > = > ---------------------------------------------------------------------= --- > = > Dr. Satcher's Mental Health Report = = = [....] > Chapter 7. Confidentiality of Mental Health Information [....] > = Copyright =A9 1994-1999 by Medscape Inc. --------------ECFB3A3ADCE2E6FBCEC0005D Content-Type: text/html; charset=iso-8859-1; name="mh1221.kenn-02.html" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="mh1221.kenn-02.html" First Surgeon General's Report on Mental Health
3D"Click
[Medscape Mental Health 4(6), 1999. © 1999 Med= scape, Inc.]

Dr. Satcher's Mental Health Report

Message From Donna E. Shalala, Secretary of Health and Human Serv= ices

Foreword

Preface

Acknowledgments

T= able of Contents

Chapter 1. Introduction and Themes

Chapter 2. The Fundamentals of Mental Health and Mental Illness

Chapter 3. Children and Mental Health

Chapter 4. Adults and Mental Health

Chapter 5. Older Adults and Mental Health

Chapter 6. Organizing and Financing Mental Health Services

= Chapter 7. Confidentiality of Mental Health Information

Chapter 8. A Vision for the Future

List of Tables and Figures

   
CONTENTS
Special Mental Health Report - First Surg= eon General's Report on Mental Health
SIDE BAR
3D"clear
Dr. Satcher's Mental Health Report

INTERACT
Email this article to = a colleague.
3D"clear
=

RECOMMENDED LINKS
Our editor's recommendations for related articles, web pages, patient inf= ormation, and similar resources are located here.

  Home   Site Map<= /FONT>   Marketplace   My Medscape   CME Cen= ter   Feed= back   = Help Desk

= Me= dscape Search Options
Select a database to search, enter a search term, then click = “go.”    Advanced Search&nbs= p;Forms

All material on this we= bsite is protected by copyright. Co= pyright © 1994-1999 by Medscape Inc. All rights reserved. This= website also contains material copyrighted by 3rd parties. CME means Continuing Medical Education c= redit is available. Medscape requires 3.x browsers or better from Netscape or Microsoft.
--------------ECFB3A3ADCE2E6FBCEC0005D-- From owner-med-privacy@venice.essential.org Thu Dec 30 18:51:22 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from web802.mail.yahoo.com (web802.mail.yahoo.com [128.11.23.62]) by venice.essential.org (Postfix) with SMTP id 046DE21B08 for ; Thu, 30 Dec 1999 18:51:22 -0500 (EST) Received: (qmail 3715 invoked by uid 60001); 30 Dec 1999 23:51:23 -0000 Message-ID: <19991230235123.3714.qmail@web802.mail.yahoo.com> Received: from [198.139.141.131] by web802.mail.yahoo.com; Thu, 30 Dec 1999 15:51:23 PST Date: Thu, 30 Dec 1999 15:51:23 -0800 (PST) From: Whistle To: med-privacy@venice.essential.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1804289383-946597883=:3234" Subject: [Med-privacy] Fwd: [DOEWatch] TV Programming announcement--Premiere of "Declassified: Human Experimentation" --0-1804289383-946597883=:3234 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Note: forwarded message attached. ===== Thistle __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://messenger.yahoo.com --0-1804289383-946597883=:3234 Content-Type: message/rfc822 X-Apparently-To: weeethistle@yahoo.com via web802.mail.yahoo.com X-Track2: 2 X-Track: -50 Received: from pop5.onelist.com (HELO onelist.com) (209.207.164.53) by mta133.mail.yahoo.com with SMTP; 30 Dec 1999 02:43:49 -0000 Received: (qmail 26572 invoked by alias); 30 Dec 1999 02:39:41 -0000 Received: (qmail 23938 invoked from network); 30 Dec 1999 02:38:00 -0000 Received: from unknown (209.207.164.239) by pop5.onelist.com with QMQP; 30 Dec 1999 02:38:00 -0000 Received: from unknown (HELO imo-d06.mx.aol.com) (205.188.157.38) by 209.207.164.239 with SMTP; 30 Dec 1999 02:38:05 -0000 Received: from Magnu96196@aol.com by imo-d06.mx.aol.com (mail_out_v24.6.) id h.0.c414a638 (1813) for ; Wed, 29 Dec 1999 21:38:04 -0500 (EST) From: Magnu96196@aol.com Message-ID: <0.c414a638.259c1f8b@aol.com> Date: Wed, 29 Dec 1999 21:38:03 EST To: doewatch@onelist.com MIME-Version: 1.0 X-Mailer: AOL 3.0 for Windows 95 sub 52 Mailing-List: list doewatch@onelist.com; contact doewatch-owner@onelist.com Delivered-To: mailing list doewatch@onelist.com Precedence: bulk List-Unsubscribe: Subject: [DOEWatch] TV Programming announcement--Premiere of "Declassified: Human Experimentation" Content-Type: multipart/mixed; boundary="onelist.6253.13394" Content-Length: 2284 --onelist.6253.13394 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The World Premiere of "Declassified: Human Experimentation" (The secret history of U.S. military experiments conducted on millions of unwitting citizens) will air on the History Channel January 8, 2000, 8:00 p.m. EST ------------------------------------------------------------------------ DOEWatch List ----A Magnum-Opus Project --- The real Natl. Sec. Directive Subscribe online: http://www.onelist.com -based near the cryptic named X-10 [god and ten commandments] and Y-12 [yahweh and disciples] nuke weapons plants of the nuclear tabernacle of Oak Ridge. "If the radiance of a thousand suns were to burst at once into the sky That would be like the splendor of the Mighty one... I am become Death, The shatterer of Worlds." -Oppenheimer July 16, 45 at Trinity from 5,000 year old Bhagavad-Gita "We have discovered the most terrible bomb in the history of the world. It may be the fire destruction prophesized in the Euphrates Valley Era, after Noah and his fabulous Ark. Anyway we think we have found the way to cause the disintegration of the atom." -Quote from Truman's diary July 25, 45 after Pottsdam and the "baby was born" and grew into "Little Boy" and "Fat Man" and the hydrogen bomb delivered by bomber named "Dave's Dream." Enola Gay's pilot, after Hiroshima, enters "My God' in the log. "The Doctor of the future will give No Medicine, but will interest his patients in the care of the human frame, in diet, and in the cause and prevention of disease." -Attributed to Thomas Alva Edison "In a time of universal deceit, telling the truth is a revolutionary act" -George Orwell DOEWatch page: http://members.aol.com/doewatch --onelist.6253.13394 Content-Type: text/html; charset="us-ascii" Content-transfer-encoding: 8bit


Click Here
--onelist.6253.13394 Content-Type: text/plain; charset="us-ascii" Content-transfer-encoding: 8bit --onelist.6253.13394-- --0-1804289383-946597883=:3234-- From owner-med-privacy@venice.essential.org Fri Jan 7 16:25:16 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 37ED921B09 for ; Fri, 7 Jan 2000 16:25:16 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id QAA24609; Fri, 7 Jan 2000 16:25:10 -0500 (EST) Message-ID: <387659AF.AC265E95@cais.com> Date: Fri, 07 Jan 2000 16:25:03 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Privacy Bibliography I maintain a health privacy bibliography, and I have distributed earlier version of it here and elsewhere on the Net from time to time. It has gotten a bit too long for that now, and the nice folks at the Electronic Privacy Information Center have agreed to maintain it at their website. It is public domain material and available for your use at: http://www.epic.org/privacy/medical/gellman.html Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + From owner-med-privacy@venice.essential.org Sat Jan 8 15:41:12 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 18DC021B05 for ; Sat, 8 Jan 2000 15:41:11 -0500 (EST) Received: from ix.netcom.com (stl-wa36-23.ix.netcom.com [207.220.42.151]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id PAA17977; Sat, 8 Jan 2000 15:41:05 -0500 (EST) Message-ID: <3877A22B.76B635FC@ix.netcom.com> Date: Sat, 08 Jan 2000 12:46:52 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------10098F2BCC1B9205A7A2B9C3" Subject: [Med-privacy] med-privacy: WA patients rights bill (edited) This is a multi-part message in MIME format. --------------10098F2BCC1B9205A7A2B9C3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------10098F2BCC1B9205A7A2B9C3 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="6199" Content-Transfer-Encoding: 7bit Content-Description: Netscape Communicatorª Document Content-Disposition: inline; filename="6199" Content-Base: "file:///6%3A22%3A99/Desktop%20Folder/6 199" 6199  
S-3567.1 _______________________________________________

SENATE BILL 6199
_______________________________________________

State of Washington 56th Legislature 2000 Regular Session

By Senators Wojahn, Winsley, Thibaudeau, Snyder and Goings

AN ACT Relating to health care patient protection
 

{+ NEW SECTION. +} Sec. 1. PATIENT RIGHTS. It is the intent of
the legislature that patients covered by health plans receive quality
health care designed to maintain and improve their health. The purpose
of this act is to ensure that health plan patients:
(1) Have improved access to information regarding their health
plans;
(2) Have sufficient and timely access to appropriate health care
services, and choice among health care providers;
(3) Are assured that health care decisions are made by appropriate
medical personnel;
(4) Have access to a quick and impartial process for appealing plan
decisions;
(5) Are protected from unnecessary invasions of health care
privacy; and
(6) Are assured that personal health care information will be used
only as necessary to obtain and pay for health care or to improve the
quality of care.

{+ NEW SECTION. +} Sec. 2. HEALTH INFORMATION PRIVACY. (1) Each
carrier that offers a health plan must develop and implement policies
and procedures governing the collection, use, and disclosure of health
information. These policies and procedures must include methods for
enrollees to access information about themselves and to amend any
information that is inaccurate, for enrollees to restrict the
disclosure of sensitive information about themselves, and for enrollees
to obtain information about the carrier's health information policies.
In addition, these policies and procedures must include methods for
carrier oversight and enforcement of information policies, for carrier
storage and disposal of health information, and for carrier conformance
to state and federal laws governing the collection, use, and disclosure
of personally identifiable health information. Each carrier must
provide a summary notice of its health information policies to
enrollees, including the enrollee's right to restrict the collection,
use, and disclosure of their own health information.
(2) Except as otherwise required by statute or rule, or a carrier's
disclosure made pursuant to requirements in RCW 70.02.050 and 70.02.900
for health care providers, a carrier is, and all persons acting at the
direction of or on behalf of a carrier or in receipt of an enrollee's
personally identifiable health information are, prohibited from
collecting, using, or disclosing personally identifiable health
information unless authorized in writing by the person who is the
subject of the information. At a minimum, such authorization must be
valid for a limited time and purpose; be specific as to purpose and
types of information to be collected, used, or disclosed; and identify
the persons who will be receiving the information.
(3) Nothing in this section shall be construed to prevent: (a) The
creation, use, or release of anonymous data that has been coded or
encrypted to protect the identity of the individual, and for which
there is no reasonable basis to believe that the information could be
used to identify an individual; or (b) the release by a carrier of
personally identifiable health information for health research subject
to the requirements of the federal "common rule" at 21 C.F.R. Secs. 50
and 56 (1968) and 45 C.F.R. Sec. 46 (1972).
(4) The commissioner shall adopt rules to implement this section
and shall take into consideration health information privacy standards
recommended by the national association of insurance commissioners and
other related professional organizations.
(5) The commissioner shall enforce the provisions of chapter 70.02
RCW as they apply to carriers.

{+ NEW SECTION. +} Sec. 3. INFORMATION DISCLOSURE. (1) A carrier
that offers a health plan may not offer to sell a health plan to an
enrollee or to any group representative, agent, employer, or enrollee
representative without first offering to provide, and providing upon
request, the following information before purchase or selection:

(c) A statement of the carrier's policies for protecting the
confidentiality of health information;
 
 

{+ NEW SECTION. +} Sec. 16. This act may be known and cited as the health care
patient bill of rights.

{+ NEW SECTION. +} Sec. 19. To the extent permitted by law, if any provision
of this act conflicts with state or federal law, such provision must be construed in
a manner most favorable to the enrollee.

{+ NEW SECTION. +} Sec. 20. If any provision of this act or its application to
any person or circumstance is held invalid, the remainder of the act or the
application of the provision to other persons or circumstances is not affected.

{+ NEW SECTION. +} Sec. 21. APPLICATION. (1) This act applies to: Health
plans offered, renewed, or issued by a carrier; medical assistance provided under RCW
74.09.522; the basic health plan offered under chapter 70.47 RCW; and public employee
health benefits provided under chapter 41.05 RCW.
(2) Except as provided in section 14 of this act, this act applies to contracts
renewing after June 30, 2001.

{+ NEW SECTION. +} Sec. 22. Section 14 of this act takes effect July 1, 2001.

{+ NEW SECTION. +} Sec. 23. The following acts or parts of acts are each
repealed:
(1) RCW 48.43.075 (Informing patients about their care--Health carriers may not
preclude or discourage) and 1996 c 312 s 2;
  --------------10098F2BCC1B9205A7A2B9C3-- From owner-med-privacy@venice.essential.org Mon Jan 10 14:25:55 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp7.atl.mindspring.net (smtp7.atl.mindspring.net [207.69.128.51]) by venice.essential.org (Postfix) with ESMTP id C2E2E21AFF for ; Mon, 10 Jan 2000 14:25:54 -0500 (EST) Received: from ix.netcom.com (stl-wa36-23.ix.netcom.com [207.220.42.151]) by smtp7.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id OAA01744 for ; Mon, 10 Jan 2000 14:25:47 -0500 (EST) Message-ID: <387A338B.F2742975@ix.netcom.com> Date: Mon, 10 Jan 2000 11:31:36 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Subject: [Med-privacy] AMA approves new policy on medical records privacy Content-Type: multipart/mixed; boundary="------------EE8B8AA4F140BA46E53F8570" This is a multi-part message in MIME format. --------------EE8B8AA4F140BA46E53F8570 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > http://www.ama-assn.org/sci-pubs/amnews/pick_00/gvsf0103.htm > > ------------------------------------------------------------------------ AMA approves new policy on medical records privacy > New AMA policy sanctions the use of personal medical > [*]Medical information for public health and disease surveillance. > Markets > [*]Opinion By Jay Greene, AMNews staff. Jan. 3/10, 2000. > AMNews Interim Meeting '99 coverage - AMA's Interim > [*]Organized Meeting site. > Medicine ---------------------------------------------------------- > [*]Business San Diego -- With the Feb. 21 deadline nearing for final > & Technology federal rules governing privacy of electronic medical > records, the American Medical Association approved a > [*]Health & policy statement it plans to use to argue for changes in > Science the proposed regulations. > > E-mail alerts AMA officials said privacy and confidentiality of medical > Past issues records is essential to safeguard the physician-patient > Reader services relationship. > > Staff directory The new policy adopted by the AMA House of Delegates at > its Interim Meeting last month was crafted by the > Feedback Inter-Council Task Force on Privacy and Confidentiality > and builds on a package of task force recommendations > passed in June 1999 regarding the confidentiality of > patient information used for medical research. > > Waiting for federal regulations written by the Dept. of > Health and Human Services is the last thing the AMA > wanted. Under language in the Health Insurance > Portability and Accountability Act of 1996, Congress had > three years to develop legislation. When the > congressional deadline expired Aug. 21, 1999, HHS was > required by law to write regulations. The agency unveiled > its proposal last month. > > Spurred by many requests from the AMA, other medical > groups, consumer organizations and some congressional > lawmakers for more time to evaluate and respond to the > proposed regulation, HHS has extended the public comment > period from Jan. 3 to Feb. 17. > > "The AMA is pleased that the deadline was extended," said > AMA Trustee Donald J. Palmisano, MD, a co-chair of the > privacy task force. "These are extensive regulations, and > it is important that we fully review the regulations and > give appropriate comment." > > New AMA policy > > The Association will use the new AMA policy not only to > shape its response to the HHS proposal, but also to > influence the congressional debate over medical records > privacy that is expected next year, Dr. Palmisano said. > > Adding to the AMA's already lengthy list of policy, the > task force recommendations state that: > > * Disclosure of personally identifiable patient > information to public health physicians and > departments is appropriate for the purpose of > addressing public health emergencies or complying > with laws on public health reporting for disease > surveillance.. > > "The public health community was extremely helpful in > bringing us important information so that we could > develop policy that respects patient privacy and, at the > same time, protects the health of the patients in our > nation," Dr. Palmisano said. > > * Physicians should counsel patients, before genetic > testing, on the familial implications of genetic > test results, and emphasize the importance of > sharing results in instances where there is a high > likelihood that a relative is at risk of serious > harm aand could benefit from early monitoring. > * Patients should be notified of the sale or > discontinuation of a medical practice whenever > possible and asked for authorization to transfer > their medical records to new physicians or care > providers.. > * Only de-identified or aggregate data should be used > for "business decisions," including sales, mergers > and similar transactions when ownership or control > of records changes hands.. > * The most appropriate authority for considering > physician breaches of patient confidentiality is the > relevant state medical practice act.. > * Knowing and intentional breaches of patient > confidentiality represent a violation of the > professional practice of medicine.. > --------------EE8B8AA4F140BA46E53F8570 Content-Type: text/html; charset=us-ascii; name="gvsf0103.htm" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gvsf0103.htm" AMNews: Jan. 3/10, 2000 ... American Medical News
AMNews

AMNews home

*Government
& Medicine
*Professional
Issues
*Medical Markets
*Opinion
*Organized
Medicine
*Business
& Technology
*Health & Science

E-mail alerts
Past issues
Reader services
Staff directory
Feedback

- American Medical News
GOVERNMENT & MEDICINE


AMA approves new policy on medical records privacy

New AMA policy sanctions the use of personal medical information for public health and disease surveillance.

By Jay Greene, AMNews staff. Jan. 3/10, 2000.
AMNews Interim Meeting '99 coverage - AMA's Interim Meeting site.

San Diego -- With the Feb. 21 deadline nearing for final federal rules governing privacy of electronic medical records, the American Medical Association approved a policy statement it plans to use to argue for changes in the proposed regulations.

AMA officials said privacy and confidentiality of medical records is essential to safeguard the physician-patient relationship.

The new policy adopted by the AMA House of Delegates at its Interim Meeting last month was crafted by the Inter-Council Task Force on Privacy and Confidentiality and builds on a package of task force recommendations passed in June 1999 regarding the confidentiality of patient information used for medical research.

Waiting for federal regulations written by the Dept. of Health and Human Services is the last thing the AMA wanted. Under language in the Health Insurance Portability and Accountability Act of 1996, Congress had three years to develop legislation. When the congressional deadline expired Aug. 21, 1999, HHS was required by law to write regulations. The agency unveiled its proposal last month.

Spurred by many requests from the AMA, other medical groups, consumer organizations and some congressional lawmakers for more time to evaluate and respond to the proposed regulation, HHS has extended the public comment period from Jan. 3 to Feb. 17.

"The AMA is pleased that the deadline was extended," said AMA Trustee Donald J. Palmisano, MD, a co-chair of the privacy task force. "These are extensive regulations, and it is important that we fully review the regulations and give appropriate comment."

New AMA policy

The Association will use the new AMA policy not only to shape its response to the HHS proposal, but also to influence the congressional debate over medical records privacy that is expected next year, Dr. Palmisano said.

Adding to the AMA's already lengthy list of policy, the task force recommendations state that:

  • Disclosure of personally identifiable patient information to public health physicians and departments is appropriate for the purpose of addressing public health emergencies or complying with laws on public health reporting for disease surveillance..

"The public health community was extremely helpful in bringing us important information so that we could develop policy that respects patient privacy and, at the same time, protects the health of the patients in our nation," Dr. Palmisano said.

  • Physicians should counsel patients, before genetic testing, on the familial implications of genetic test results, and emphasize the importance of sharing results in instances where there is a high likelihood that a relative is at risk of serious harm aand could benefit from early monitoring.
  • Patients should be notified of the sale or discontinuation of a medical practice whenever possible and asked for authorization to transfer their medical records to new physicians or care providers..
  • Only de-identified or aggregate data should be used for "business decisions," including sales, mergers and similar transactions when ownership or control of records changes hands..
  • The most appropriate authority for considering physician breaches of patient confidentiality is the relevant state medical practice act..
  • Knowing and intentional breaches of patient confidentiality represent a violation of the professional practice of medicine..

In other action, the house approved a resolution that calls for the AMA to work with the American Society of Addiction Medicine, the American Psychiatric Assn. and other medical organizations to ensure that impaired physicians have a right to medical confidentiality from their patients.

Several courts in recent years have ruled that physicians with HIV or who are chronic alcoholics or cocaine users have a duty to disclose those facts to patients. The AMA believes disclosure requirements will discourage physicians from seeking needed treatment.

Under ethics guidelines, the AMA already requires impaired physicians to seek help.

Back to top.





American Medical Association Navigation
--------------EE8B8AA4F140BA46E53F8570-- From owner-med-privacy@venice.essential.org Fri Jan 14 15:47:29 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 26DF521B06 for ; Fri, 14 Jan 2000 15:47:25 -0500 (EST) Received: from ix.netcom.com (user-2ini8po.dialup.mindspring.com [165.121.35.56]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA05861; Fri, 14 Jan 2000 15: