From owner-med-privacy@venice.essential.org Wed Dec 29 14:37:31 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 7132821B0F for ; Wed, 29 Dec 1999 14:37:31 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA26528 for ; Wed, 29 Dec 1999 14:37:30 -0500 (EST) Message-ID: <386A62B8.A2A7391F@cais.com> Date: Wed, 29 Dec 1999 14:36:24 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 1 of 4 I filed comments with HHS today on the HIPAA privacy rules. My comments are long (24 pages), and I want to make them more generally available. I certainly do not expect that every one will agree with my comments. Indeed, I am sure that everyone with disagree with at least some of my comments. But I think that it is important that as many people as possible file comments with HHS. I hope that my comments may provoke some thinking and perhaps serve as a resource for others. If anyone wants to copy some of my comments and file them on his or her own, that is fine with me. You can take my text, in whole or in part, and change it as you please. The point is that people must be heard from. Comments are due on February 17. Because of the length of my comments, I have broken them up into three parts. I will send three more messages following this one, and each will be modestly long. If this subject doesn't interest you, you can just delete them. The comments are all Y2K compatible. Of course, I can't say the same for your computer. Or mine for that matter. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + From owner-med-privacy@venice.essential.org Wed Dec 29 14:47:59 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 8DA6C21B4F for ; Wed, 29 Dec 1999 14:47:59 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27458 for ; Wed, 29 Dec 1999 14:47:55 -0500 (EST) Message-ID: <386A6529.A4379E7D@cais.com> Date: Wed, 29 Dec 1999 14:46:49 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] HIPAA Privacy Regs 2 of 4 Part 1 of my comments starts below my signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 1 of 3 These comments on the HIPAA privacy standards represent my own views, and they are not submitted on behalf of any other person. Overall, I find that HHS made a good faith attempt to develop privacy standards in compliance with the congressional mandate. However, the proposed rules contain many troubling provisions, and I hope that the final rules will fix many existing problems. The biggest problems with the proposed rules are in these areas: · Unclear definition of health information and the resulting uncertain application of the rules to record keepers who are not providers or payers · Uncertain application of the rules to health information not maintained in electronic format · Overly broad definition of disease management that allows marketing and other inappropriate disclosures of patient information · Broad exclusions and exemptions for the administrative convenience of federal agencies at the expense of personal privacy · Failure to give patients sufficient ability to seek additional restrictions on disclosures for treatment, payment, and health oversight · Lack of adequate procedural and substantive restrictions on law enforcement access · Practical shortcomings for provisions allowing disclosures of directory information and to next-of-kin · Incomplete accounting requirements · Restricted amendment procedures that will not allow patients to even request changes to much information used to make decisions about their health care In most cases, I tried to offer specific suggestions on how to change the rules. In addition, I include some suggestions for ways that the Department can change its own policies to provide patients with additional privacy protections that it may not be able to impose on others. For example, I propose that the Department adopt an internal policy preventing patient information obtained for law enforcement or oversight from civil, criminal, or administrative use against patients unless the patients are involved in health care fraud. This policy should be adopted for all health record keepers, but it may be beyond the scope of the Secretary's current HIPAA authority. However, nothing prevents the Secretary from adopting the same rule governing HHS activities. Summary and purpose The Department asked whether the scope of the rule should be extended to cover all individually identifiable information, including purely paper records maintained by covered entities. I believe that the rule should be written so that the boundaries between covered and uncovered information will be as clear and as easy to apply as possible. The preference should be for a rule covering more rather than less information. It would be a poor policy if record keepers could not tell when a particular item of information is subject to regulation. The current draft makes it impossible in some circumstances for a person in routine possession of medical information to know if the rule covers the information. Events that take place in other locations, that involve activities of other people, and that occur later in time will affect whether the information has become protected health information. If the Secretary is not willing to use her authority to cover all health records of covered entities, then the rule should be as simple as possible. A simpler and better rule is that if a covered entity transmits or expects to transmit any part of a patient's record electronically, then all information about that patient maintained by the covered entity becomes protected health information. For most health care institutions, this rule would mean that all patient records are protected health information. Entities that operate exclusively with paper records could remain outside the law. Clarity, simplicity, and predictability are most important in threshold definitions. In this instance, the Department should adopt an alternative that makes the rule easier for record keepers to apply and that offers record subjects broader privacy protection. Applicability References to other laws: This section of the commentary offers a gloss on the phrase "authorized by law." The explanation is, in essence, that an activity is authorized by law as long as a statute does not prohibit it. This is far too lax a standard. A good reference here is the ACLU of Wisconsin Data Privacy Project report titled In the Balance: State Government and Medical Records Privacy (May 11, 1998). The report documents that many state agencies gather, maintain, or use health information for a variety of purposes. If the proposed rule simply allows collection of identifiable health information by any state agency in the absence of an express statutory prohibition on collection, then the rule will have accomplished little. For example, the provision that permits disclosures for governmental health data systems relies upon the "authorized by law" concept. It marries two broad and virtually unrestricted concepts and allows any government agency to seek health information, almost without limitation, based on the representation that it seeks the data for a "policy, planning, regulatory, or management function." [164.510(g)] The problem is not necessarily with allowing some degree of flexibility. However, applying two overly flexible provisions at the same time results in a standard that is so weak as to be non-existent. An affirmative legislative decision to authorize use of medical data for a particular purpose should not be given the same weight as a failure to prohibit an agency from seeking health information. In some instances, it probably never occurred to bill drafters to prohibit the collection of patient data because the disclosure was unethical or unnecessary. To adopt a rule that treats a failure to prohibit as an authorization is perverse. The solution here may not be simple. It may ultimately be necessary to require agencies to rely on affirmative statutory authority. As the commentary correctly points out, existing statutes may not expressly affirm the authority of agencies to obtain information. An appropriate response would be to retain a reasonable degree of flexibility, but only for a limited period of three years following the effective date of the rule. If state legislatures want to grant agencies positive authority to obtain records, they will have opportunity to do so in an environment where concern about privacy has been heightened and public debate on the appropriateness of agency use of health information can take place. If some agencies are subsequently unable to obtain positive authority to access health records, then so be it. The current language essentially grandfathers all existing actual or implied authority to obtain health information. This is a poor policy choice. Instead, the Department should allow this degree of flexibility for no more than three years. Postponing any new restriction on the ability of state agencies (including law enforcement) to seek records without affirmative statutory authorization will accommodate essential state activities in the interim while requiring a review of those activities in a reasonable way. An alternative solution is to identify and specify all permissible uses of health data by agencies or others under the guise of "authorized by law." This is a more difficult choice, but it would be better than abdicating responsibility as the proposed rule does. Definitions The definition of health information raises serious problems outside the treatment and payment process. Within the treatment and payment process, we can safely assume that all information about data subjects is health information. As a result, we do not encounter major line drawing problems. However, for employers or life insurers, the same assumption does not work. These non-medical record keepers routinely maintain other, non-health, information on individuals. How can they tell when personal information is health information within the meaning of the rule? Schools would present the same problem, except that the rules unfortunately and inappropriately exempt most schools from the health privacy rules altogether. In many circumstances, it will be impossible to determine reliably whether a particular item of information is health information. If a worker asks for a low salt meal in a company cafeteria, will that information require protection? Will a travel voucher for an employee contain health information after the press reports that the area the employee just returned from had an outbreak of Lassa fever? Does a request for a wheel chair for an airline passenger become medical information when collected by a company travel agent? Do measurements for workplace protective clothing have to be treated as medical information or does the answer depend on what the measurements are? Are the results of a workplace drug test health information or does the answer depends on exactly what the results are? In contexts where it is not appropriate to assume that all information is health information, the broad language "relates to the past, present, or future physical or mental health or condition of an individual" does not help. For employers, life insurers, and perhaps others, the proposed definition will create impossible problems. The most workable solution is to cover health information in the hands of schools, employers, and life insurers only when they receive identified health information from a covered entity or when they create it while providing treatment or making payment. This is an area where certainty of application is more important than broad scope of coverage. The definition of health plan excludes health care payment under property and casualty insurance. Putting aside the issue of workers' compensation, the definition creates a significant loophole for insurers who want to avoid the scope of the privacy rules in order to exploit health information for marketing or other uses unrelated to health. From the perspective of a patient, the nature of the policy is not relevant. When a casualty insurance company pays for health care, the patient will think that the company looks the same as other insurance companies. Yet the rule denies a patient privacy rights for property and casualty insurance information. Sometimes, treatment may continue while the ultimate source of payment (property policy vs. health policy) remains unknown, perhaps for months or years. Will information be subject to the privacy rule in the interim, and how will covered entities or others know? Workers' compensation is a complex subject that requires special treatment and reasonable accommodation. However, like other casualty insurance, it is not entitled to a complete exemption. The Department should not evade its responsibility to address these difficult issues by simply exempting them. If necessary, a separate and subsequent rulemaking should consider how to meet confidentiality interests of patients while allowing workers' compensation to be administered efficiently. The definition of designated record set has two fundamental problems. First, record keepers will find it impossible to determine how to apply this term under the privacy rule. Second, the definition relies upon an outmoded and discredited concept from the Privacy Act of 1974. The Privacy Protection Study Commission recommended abandoning the retrieved in fact standard in the Privacy Act of 1974 more than twenty years ago. See Personal Privacy in an Information Society at 503-504 (1977). See also my article How to Amend the Privacy Act - Part II, in 23 Access Reports (August 20, 1997). Extending this failed concept from the earliest days of privacy law to a new arena is an exceedingly poor choice. In any electronic data system, most records are retrievable. It is impractical to base a substantive requirement on a factual determination of record retrieval practices. A record keeper could find a system covered by the rule if a few people actually used some records in unanticipated ways. Imagine the discovery that would be required in a compliance investigation to determine whether a particular record system was, in fact, a designated record set. In my work with federal agencies under the Privacy Act of 1974, I consistently find a lack of understanding of the retrieved in fact standard. The Privacy Act originated in an era of paper records and mainframe computers, when it was more appropriate to distinguish between personal record systems based on administrative use. However, it is inappropriate to rely on the same standard in an era of personal computers, electronic databases, and computer networks. At some agencies, agency personnel now retrieve records that once fell entirely outside the scope of the Privacy Act, making the records unexpectedly subject to the Act. Agency compliance with the law is sometimes incomplete because of changes in administrative practices and technology. It is inevitable that a factually based standard will create identical problems in the health care community. The motivation for the definition may be to exclude some records, such as backup files, from the access and correction requirements in the rule. Simpler solutions are available. One solution would allow a covered entity to exempt duplicate records not directly used to make decisions about individuals. See, e.g., section 101(b)(5) of H.R. 52, 105th Congress. The definition of individual excludes foreign military and foreign diplomatic personnel and their dependents. The commentary offers no adequate justification for this exclusion. If it only applied to records maintained directly by the federal government, then the problems inflicted by the exclusion would fall exclusively on the federal government. But it includes care paid for by DOD, and this means providers, plans, and clearinghouses will have some patient records. From the perspective of these other record keepers, the records will likely look exactly like other patient records, except for the arbitrary exclusion from the Act's protection. As a practical matter, the records may not be treated as outside the scope of the rule, if for no other reason than it would be an impossible administrative burden. However, if any covered entity treats the records as exempt, then - contrary to the likely intention - the covered entity may conclude that it lacks legal authority to make some disclosures permitted under the proposed rule. However, the covered entity would be able to exploit the records of this sensitive class of diplomats for marketing. If someone chose to create and market a list of foreign diplomats with cancer, the Department would more readily understand that the exclusion is a poor choice. This exclusion is one of many instances where the proposed rule relies on an exclusion, exemption, or special rule for privacy matters involving federal agencies. While some governmental functions warrant special health privacy rules, the Department is too willing to allow other agencies to evade the purpose of the proposed rule with an unnecessarily broad special provision. The Department should put up more resistance to these requests from other agencies. The Department should identify the underlying problems and look for a narrow response rather than a total or broad exemption. In the case of foreign personnel, it is particularly unconscionable that the Department agreed to deny privacy rights. These records are not exempt from special protections under federal alcohol and drug abuse statutes. They are not exempt under state laws, and the records will retain any stronger protections under state laws despite the proposed rule. This will only add to the confusion of record keepers and attenuate the point of the exception. It will be impossible for record keepers to tell when the exemption actually applies or what the exemption means in practice. Further, the United States faces serious international questions about the adequacy of its privacy laws and policies. To establish a new health privacy rule that exempts a class of foreign nationals from any privacy protection may have broad, negative repercussions for HHS activities, federal government activities, and for private companies. The exclusion eviscerates any argument that the health privacy rules offer individuals adequate privacy protection within the meaning of the European Union Data Protection Directive. Excluding any foreign nationals from privacy protections will exacerbate existing tensions with the European Union and other countries. The definition of individually identifiable health information makes a good effort to reflect the complexities of determining what constitutes de-identified information. The definition and the associated discussion recognize the near impossibility of indisputably identifying a category of de-identified information. We may have reached the point where few, if any, compilations of individual-level personal data can be considered truly de-identified. So much personal data can be readily obtained from public and private sources that even small amounts of individual-level information without identifiers can often be matched with identifiable records. As the years pass and more personally identifiable data becomes available, the problem will only grow worse. The proposed solution is a step in the right direction, but it does not go far enough. The definition should be accompanied by a procedure that offers greater protection to individuals while supporting appropriate use of information that may still be identifiable, despite the removal of overt identifiers. This procedure would require a covered entity seeking to disclose de-identified data to sign a formal agreement with the recipient. The agreement would bind the recipient not to attempt - or to permit others to attempt - to re-identify any of the data. The agreement should state that is expressly for the benefit of data subjects. This type of agreement would allow an aggrieved individual to seek legal remedies against a violator. The agreement not-to-re-identify approach has the advantage that the rule proposed for entities with appropriate statistical experience might no longer be necessary. All recipients would sign the same basic agreement. The term research information unrelated to treatment is not clear. The need for the term is elusive. Frankly, I am unable to understand the point of the term and its associated substantive provision. Regular research information is subject to IRB oversight. This category of research information is apparently not. The recognition of two separate categories of research information is confusing and potentially troublesome. The failure here may be just one of explanation, but the Department has so far not met the burden of justifying its response to a problem that no one else has identified in twenty years of discussions about health confidentiality. The definition of treatment includes disease management as an included function. Disease management is not a defined term, and this creates one of the biggest loopholes in the rule. Protected health information could be disclosed to virtually anyone - including marketers and employers - under the guise of disease management. It is essential that this loophole be closed. The potential breadth of the term is evident from a definition recently adopted by the Disease Management Association of America: Disease management is a multidisciplinary, continuum-based approach to health care delivery that proactively identifies populations with, or at risk for, established medical conditions that: supports the physician/patient relationship and plan of care; emphasizes prevention of exacerbations and complications utilizing cost-effective evidence-based practice guidelines and patient empowerment strategies such as self-management education; and continuously evaluates clinical, humanistic, and economic outcomes with the goal of improving overall health. It is difficult to imagine any privacy-invasive use or disclosure of patient information that could not be justified as disease management under this definition. The definition fails to recognize that patient privacy and patient consent are relevant as limiting factors in disease management activities. I certainly do not recommend the adoption of this definition in the regulations. The Department should remember the response when the Washington Post revealed the use by Giant Food and CVS of patient information for marketing. The public reaction was intense, immediate, and negative. Although the pharmacies tried to justify the disclosures as disease management programs benefiting patients, the public would have none of it. The disclosures clearly violated patient expectations of confidentiality. The political reaction was swift as well, and pending health confidentiality bills were withdrawn and revised in an attempt to prohibit non-consensual disclosures of the type made by Giant Food and CVS. I am not arguing that all uses and disclosures for disease management should be prohibited. However, the Department should not allow any possibility that a marketer or employer will receive identifiable patient information for disease management - no matter the terms of the disclosure - without express patient notice and consent. Marketers and employers may be the primary focus of concern. However, disease management activities could theoretically allow disclosures of patient data to friends, neighbors, law enforcement agencies, fundraisers, or anyone else who might be able to remind a patient to take a drug, renew a prescription, or avoid injury. I have several suggestions for remedying the problem. First, disclosures for disease management to marketers and employers should be flatly prohibited without affirmative and explicit patient notice and consent. Under no circumstances should a patient be able to authorize a disclosure to a marketer or employer for disease management unless the authorization form expressly so states. A generic authorization permitting disclosures for disease management should not be sufficient to justify disclosure to an employer or marketer. Second, the rule should permit uses (but not disclosures) of patient information for disease management purposes as long as a health plan or provider directly conducts the disease management activity. However, if a covered entity conducts disease management through a business partner or external entity, explicit patient notice and consent should be required. Notice and consent should be required even if the same activity conducted directly by the covered entity does not require patient consent. Third, the Department should adopt a reasonable but narrow definition of disease management to prevent it from providing justification for any disclosure that a covered entity might care to make. At a minimum, the disclosure should be based on a medical judgment by a medical professional that specific tasks or goals tied to specific outcomes will benefit a specific individual or a discrete and identifiable class of patients. Fourth, if a covered entity receives a payment or other compensation from a third party to support a disease management program, the specific identity of the real party in interest providing the incentive and the amount should be disclosed to patients. Notice should be required even if a disease management program does not involve a disclosure of patient data to the third party providing the incentive. Finally, a patient should be able to decline participation in disease management activities, and providers and health plans should be required to honor a patient's request. The right-to-restrict policy in the current rules does not give patients the absolute right to prevent disclosures for disease management. End of Part 1 of 3 From owner-med-privacy@venice.essential.org Wed Dec 29 14:49:44 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 4493D21B4D for ; Wed, 29 Dec 1999 14:49:44 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27653 for ; Wed, 29 Dec 1999 14:49:39 -0500 (EST) Message-ID: <386A6590.F17D6F74@cais.com> Date: Wed, 29 Dec 1999 14:48:32 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 3 of 4 Part 2 of my HIPAA privacy comments start below the signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 2 of 3 Minimum Necessary I support the minimum necessary standard for disclosures despite the uncertainties involved. However, the Department needs to do a better job of explaining how the requirement will operate in different circumstances. Record keepers need more guidance so that they will understand how to apply the rule when disclosing records for research, public health, law enforcement, and other routine circumstances. The final rule should include operational examples that address differences between disclosing paper and electronic records, the role of medical professionals in making decisions, and how the rule might be applied in a different way over time as technology changes. More explanation is crucial because the result of too much uncertainty may be more disclosure rather than less. If entities decide that they are at risk for making disclosures that exceed the minimum necessary, they may insist on broader disclosure authority to minimize that risk. For example, if asked to disclose records necessary for a determination of disability, a provider may refuse to decide what is necessary to the determination. The provider may instead insist on a disclosure authorization for the entire record. That protects the provider against violating the minimum necessary standard, but it undermines protections for patients. The Department must pay more attention to the allocation of risk and liability under this provision. In at least some instances, a cautious record keeper may just refuse to provide records. Guidance will help to avoid unwanted results. We have considerable experience under the Privacy Act of 1974 documenting that it takes time for record keepers to become familiar with new disclosure restrictions. Guidance will shorten the time required for record keepers to feel comfortable, but it will not eliminate the uncertainty immediately. However, the likelihood of uncertainty is not sufficient reason to eliminate the minimum necessary standard altogether. It is a fundamental requirement for any health privacy rule. The proposed rule states that the minimum necessary standard does not apply to uses or disclosures mandated by law. This is curious at best. When a law mandates a disclosure, a covered entity should disclose no more than the specific information required. For example, if a policeman may ask if a patient is present in a hospital, the hospital should disclose only the location information and not the diagnosis or other details. The statement that the minimum necessary standard does not apply gives the wrong impression. The rule should state that legally mandated disclosures are bound by and may not exceed the statutory mandate. Record keepers should be directed not to turn over entire patient records in response to a legally mandated request. For example, for mandatory STD reporting, disclosures should be limited to STD information and should not extend to other diagnostic or test information or to provider notes. Right to Restrict The choice made by the rule to allow disclosures without authorization for payment and treatment is a compromise that only works if the small percentage of patients who want additional restrictions on routine disclosures can be reasonably accommodated. For more on the shortcomings of requiring patient consent for treatment and payment, see the chapter I wrote on Personal, Legislative, and Technical Privacy Choices: The Case of Health Privacy Reform in the United States in Visions of Privacy: Policy Choices for the Digital Age (Bennett & Grant, eds., 1999, Univ. of Toronto Press). Giving individuals a realistic opportunity to seek restrictions on payment and treatment disclosures authorized by the rule is crucial. However, the proposed rule does not strike an adequate balance. A health plan or provider might simply refuse all patient requests for additional restrictions because of a plan's or provider's laziness or administrative convenience. The commentary goes too far in telling covered entities that they can decline to even consider requests. For example, if a patient decides to pay for health care out-of-pocket rather than use insurance coverage, the patient will accomplish nothing if the provider refuses to conceal the treatment from the insurance company. I recognize that contractual or other circumstances may justify a refusal of a patient request from time to time. Nevertheless, patients still need more consideration of their requests. The solution is to require that covered entities negotiate with patients over disclosure restrictions in good faith and that they must provide a written reason for rejecting the request of a patient. Fairer negotiations and clearer explanations will provide those patients whose requests cannot reasonably be accommodated with an opportunity to make other arrangements for their health care. Covered entities should also be required to keep track of how they handle patient requests for restrictions so that HHS can review the degree of good faith shown in handling requests. Without a record-keeping requirement, those at HHS charged with enforcement may be unable to determine if an entity treats patients' requests fairly and honorably. Business Partners Covered entities disclose protected health information to many different business partners. Written contracts are appropriate for many of these disclosures in the way that the rule provides. However, the same procedure is not appropriate or practical for all relationships. For example, patients records may technically be "disclosed" to companies providing telephone service, delivery service (the law protects Postal Service mail against opening for inspection, but courier services have no similar legal restrictions), Internet service, credit card support, equipment repair, financial audits, and legal service. Records may even be "disclosed" to moving companies hired to haul boxes from one location to another. Telling each covered entity to negotiate an agreement with every companies providing routine, standard services is unnecessary at best and terribly expensive at worst. The Department should identify as many standard disclosures as possible and should develop language that meets the requirements and intent of the privacy rule for service providers to incorporate in standard contracts. This will avoid the need for tens of thousands of individual negotiations. The idea is similar to the proposal to exempt disclosures for consultations for treatment. A similar approach for selected other disclosures will be the most efficient way of solving common problems and will reduce the costs of compliance significantly. It will also benefit contractors who will not find it necessary to repeat identical negotiations with their subcontractors. Deceased Persons I support the decision to place a two-year limit on the application of confidentiality principles after death. This policy choice makes a reasonable balancing of the complex interests that arise. Individual Authorization The collection of authorizations for marketing uses and disclosures is fraught with potential abuses. In the past, disclosure of patient information for marketing purposes was unethical. The omnivorous demands of marketers combined with the allure of profits for record keepers and the growth of health plans that operate without any of traditional provider ethical constraints have significantly weakened disclosure standards to the detriment of patients. An unfortunate consequence of standardizing procedures for authorizations may be that demands on patients for marketing authorizations will increase as covered entities learn how to pressure patients into signing authorizations. The Department should use the rule to stop the trend toward increased trafficking by marketers in patient data. Most patients strongly object to marketing activities based on identifiable patient data, but sick or inattentive individuals may not be able to understand or resist pressure from health plans or others to sign authorizations for marketing. One easy change is to expressly prohibit any clearinghouse from seeking patient authorization for marketing disclosures. I doubt that any clearinghouse would object. For plans and providers, I offer several ideas. First, a covered entity should be prohibited from seeking consent from patients for any marketing disclosures that benefit a third party. Third parties that want patient information for marketing should be forced to obtain the authorizations directly from patients and without the assistance or intervention of a covered entity. The purpose is to remove any incentive that a plan or provider might have to do business with marketers. Note that this suggestion applies only to disclosures and not to uses. A covered entity that seeks to market its own products or services directly to patients should be able to do so with notice and consent. However, any use that involves a disclosure of any type to a third party should not be permitted. Further, the marketing use must be for a service or product provided directly by the covered entity and not by any affiliated company. This type of restriction is necessary to prevent consumer marketing companies or others from purchasing health care providers just for the ability to access patient records for marketing purposes. This is not as far-fetched an idea as it might seem. The merger of Citibank and Travelers Corporation was justified in large measure by the value of cross marketing. Second, it is not sufficient for an authorization to reveal that the covered entity requesting the authorization will gain financially from the disclosure. The identity of the person providing the financial incentive should be included on the authorization, along with the amount of the financial gain. If these requirements inhibit the marketing uses of identifiable health information, that would be appropriate. It was not the intent of Congress nor should it be the purpose of the Department to make it easier for marketers to obtain patient information. Third, the rule should require full public disclosure of all marketing arrangements between covered entities and others. The details should be disclosed on the website of the covered entity or available upon the request of any person. If disclosure inhibits a covered entity from seeking authorizations for marketing, so much the better. No one should be permitted to hide a marketing campaign based on identifiable patient information behind a business confidentiality screen. Here too, the goal should be to discourage marketing using identifiable patient information. Fourth, the rule should provide that all authorizations for marketing expire in six months. A short, fixed period for these authorizations is essential so that a casual agreement by a patient in a weak or confused moment will not result in a lifetime of marketing disclosures by an avaricious covered entity. Additionally, accounting for marketing disclosures should include not only the person who received the information but the actual party in interest as well. For example, if a pharmacy disclosed patient data to a lettershop for a marketing campaign funded by a drug manufacturer, the accounting should identify both the lettershop and the manufacturer. Telling the patient that the XYZ Lettershop received the data is not as meaningful as telling the patient that the ABC Pharmaceutical Company benefited from the disclosure. The proposed rule states that a covered entity may not condition treatment or payment on a patient's authorization. This is a step in the right direction, but it does not go far enough. The rule does not prohibit the use of financial incentives to induce a patient to sign an authorization. For example, a health plan could offer a discount to patients who sign an authorization. If allowed, financial incentives could be used unfairly. For example, a health plan could establish a high copayment but reduce it drastically for patients who sign an authorization. This conduct should be prohibited. The rule does not require the use of a contract between a provider and a pharmaceutical company, but it requested comment on the idea. In my view, a contract that identifies the patient as a third party beneficiary is valuable. At best, the Department's enforcement will be able to identify, investigate, and sanction only a small fraction of abuses. By giving patients enforcement rights as third party beneficiaries under contracts, patients will be able to supplement the work of the Department by seeking enforcement of their own rights in court. The rule should not only require contracts with third party beneficiary clauses for arrangements between providers and pharmaceutical companies, but it should require such contracts for all allowable arrangements between covered entities and anyone seeking information for a marketing purpose. The rule should provide that all authorizations be dated on the day that they are signed. No one should be allowed to collect an authorization to become valid on a date in the future to be designated by the person seeking the authorization. There have been abuses of the dating of disclosure authorizations in other circumstances. The provision in section 164.508(a)(2)(iv) that prohibits a covered entity from seeking an authorization covering treatment, payment, or health care operations needs to be rethought. At times, a patient or provider may need a signed consent to comply with a state or foreign law, or in other special circumstances. In other cases, a provider (e.g., a psychiatrist) that shares a patient's concern about confidentiality may affirmatively seek an authorization narrowing the provider's ability to disclose information. The proposed rule prevents that from happening. I suggest amending the provision to prevent a provider from routinely requiring a patient authorization for treatment, payment, or oversight that permits more disclosures than allowed by the rule. If a provider wants either a narrower authorization or an authorization identical to the rule, the patient should be allowed to agree. Health Oversight The definition of health oversight activities includes almost any activity pertaining to government benefit programs. The rule should make it clear that government benefit programs requiring health information about applicants need authorizations. The authority to use health information in the oversight process should not be construed to include the initial collection of benefit information for routine health or welfare programs. Applicants should know when an eligibility decision requires health information. They should be asked to consent. Consent should be the default method for obtaining access to records. The commentary says that the regulation allowing a health oversight agency to obtain health information does not create any new right of access to records. That point is absent from the rule. It is crucial to make this point clearly in the body of the rule. Disclosures for health oversight can be a significant invasion of personal privacy. When they are necessary to serve a broader societal interest, patients deserve better protection. Some legislative proposals introduced in recent years include a policy that prevents information disclosed for a purpose such as health oversight from use in any administrative, civil, or criminal action or investigation against the subject of the record unless the action or investigation arises out of and relates to receipt of or payment for health care. It would be appropriate for the Department to include this policy in its rule. Admittedly, there is some doubt about the authority of the Secretary to impose this type of patient protection through the rule to all oversight agencies. However, the Secretary has more than enough power to order all components of the Department to follow the policy. Accordingly, I recommend that the Secretary issue an administrative order prohibiting all Department components from using any patient records obtained for oversight activities in any administrative, civil, or criminal action or investigation against the subject of the record. I would allow an exception if the action or investigation arises out of and relates to receipt of or payment for health care. The same order should cover law enforcement, public health, and other non-consensual disclosures. An administrative order of this type could be issued immediately and without waiting for the privacy rule to take effect. Further, the entire federal government should operate under these restrictions on reuse of information even if the legal authority to mandate the restrictions on others does not exist. The Secretary should seek the issuance of an executive order or similar presidential document to impose the same restrictions government-wide. The federal government should take the lead in implementing patient protections and should provide an example for the states. The federal government was a leader, for example, in using Miranda warnings in law enforcement investigations. Federal administrative action might encourage states to adopt legislation limiting their own agencies from using information disclosed for a specific purpose in another way that undermines the privacy interest of patients. Judicial and Administrative Proceedings The proposed rule permits a covered entity to disclose protected health information that relates to a party whose health condition is at issue in a proceeding and where the disclosure is pursuant to lawful process such as a discovery order. The rule assumes that because the subject of the record is a party to the proceeding, the subject will have notice of discovery orders. This is not always true. The rule needs to be modified to require actual notice to the record subject or to the subject's lawyer. Further, access through this method should be limited to instances in which the record subject placed his or her medical condition or history at issue. If another party to litigation raised a medical question, then the party seeking the record should be required to obtain a court order rather than a routine discovery request. The rule should establish a process that offers appropriate assurance to record keepers as well as adequate notice to the subject of the record. A person seeking protected health information through discovery should be required to notify the subject or the subject's attorney of the request for information. The person seeking the information should be required to provide the covered entity holding the information with a signed document attesting 1) that the subject of the record is a party to the litigation; 2) that the individual has placed his or her medical condition or history in issue; 3) the date on which the subject of the record received notice of the request; and 4) that ten days have passed after the notice and the subject of the record has not objected. See section 118 of H.R. 52, 105th Congress. This procedure will assure that the subject of protected health information receives actual notice of a discovery request and that the subject can object in a timely fashion. Just because litigation involves an individual's medical condition, the individual's entire medical file will not necessarily be relevant. If litigation involves a broken leg, the disclosure of the plaintiff's psychiatric records may not be relevant. The general rule limiting disclosures to the minimum amount of information necessary to accomplish the purpose should be fully applicable. Patients can use the rule to contest the scope of discovery requests. Of course, if a dispute arises over a discovery disclosure, the notice procedure allows the tribunal considering the matter to resolve it without any involvement on the part of the covered entity. Law Enforcement The law enforcement access provision has many shortcomings, and I will leave it to others to raise broader objections and to discuss the role that courts should play in approving law enforcement access. I will only comment on a few aspects. The proposal allows any law enforcement agent to obtain health information without requiring a written request. The commentary is significantly misleading in suggesting that a writing is required. The rule itself makes it clear that the police can receive patient data simply by flashing a badge and making an oral request. The rule should require that any routine request for information from the police be in writing and signed by a supervisory official. The proposed three-part test is mildly useful and should be retained. However, unless law enforcement agencies make their determinations in a written and signed document, the requirement will be an ineffective barrier to inappropriate access. An oral representation that the request qualifies under the test has little significance. Law enforcement agencies should be obliged to state with some precision the information that they require. If the police need only the location of a patient, they should not obtain access to the complete patient record. The police must provide enough information about their needs to allow application of the minimum purpose rule. The commentary says that substance abuse records continue to be covered by 42 U.S.C. 290dd-2. That statement belongs clearly in the rule itself or else it will create unnecessary confusion. The rule governing disclosures for intelligence and national security activities needs reconsideration. As written, the provision allows a large number of employees of many different agencies to make requests for health records. The rule requires no writing or involvement by supervisory personnel of the requesting agency. The rule offers no protections to patients. It is far from apparent why any personnel of the National Reconnaissance Office or the other agencies identified in the law as part of the intelligence community need the ability to seek health records. Nothing in the Privacy Act of 1974 allows such broad and unrestricted access by intelligence agencies to health records or even to less sensitive records about individuals. The intelligence community needs to make its case for access to federally maintained health records in a public way. The rule should be revised to permit disclosures only for those specific needs. Further, all requests for access should be accompanied by a written request signed by a supervisory official of the agency. The same is true for the Secret Service. Its need for information in support of protective functions should be met under the emergency circumstances provision of the rule. The disclosure by a physician or psychiatrist of patient information to the Secret Service without a serious and imminent threat is inappropriate and unethical. The Secret Service has not justified the need for nonconsensual disclosure in other circumstances. Governmental Health Data Systems A recent ACLU report documents the widespread use of health data by government agencies. See ACLU of Wisconsin Data Privacy Project, In the Balance: State Government and Medical Records Privacy (May 11, 1998). The report shows that many state agencies gather or use medical information for different purposes. If the proposed rule simply allows the continuation of any collection of identifiable health information by any state agency, then the rule will accomplish little to protect patient privacy. The commentary tries to make a case for permitting open-ended authority for the collection of health information for health data systems with a variety of functions. I do not oppose allowing legitimate health data systems to obtain patient information under defined circumstances when information in the data system has adequate protection. The rule, however, imposes no procedural or substantive requirements on disclosures to health data systems. Indeed, the rule allows disclosure of health data for policy, planning, regulatory, or management functions entirely unrelated to health care. The police could qualify to obtain all identifiable patient data for a database designed to help the police make decisions about management of the use of police resources near a health care facility. Requiring verification of identity, as provided in section 164.518(c) is appropriate, but the suggestion that verification presents a significant barrier to access is wrong. The standard for access is so broad that dozens of federal and state agencies with no direct health responsibilities could legitimately obtain information. Virtually any government agency in the United States could use this provision to seek health records unless expressly prohibited by law from doing so. Under the verification rule, agency personnel need only show an identification card and orally state that they qualify for access. The rule needs several changes to address access by agencies that do not have express statutory authority to obtain patient data. First, an agency seeking data should be required to inform the public of its request. Many requests will be routine and continuing so a public notice requirement will not be onerous. The notice should allow for public comment before any actual disclosures. Second, if data collected for a governmental health data system can be used in any way against a patient, then the public notice should be required to explain all of the possible consequences. Third, the requesting agency should be required to make a written request, state the reason for the request, and identify all planned uses of the information. Fourth, the rule should require the removal of identifiers at the earliest opportunity consistent with the purpose of access. Finally, the purposes for authorized disclosure need to be much more carefully defined and limited to health care functions. This provision should not create a backdoor excuse for access by police, schools, libraries, or other agencies that have no need for individual level or identifiable patient data. Directory Information I support disclosures of directory information with an opt-out by a patient, except in circumstances where the information will reveal information about the patient's condition. The proposed rule is far too impractical. The rule requires agreement by patients. Lawyers are likely to interpret this to require a writing. How else can a covered entity document patient approval when a dispute arises? The commentary says that verbal agreement is adequate. The rule itself says no such thing. Even if it did, providers would still face the practical requirement of documenting that the patient was asked. A failure to check a box on an admission form could open providers to liability. Allowing verbal agreement is impractical in other ways. I recently spent an hour in an emergency room, where dozens of patients awaited care. When a physician was ready for the next patient, a nurse entered the waiting room and called the name of the patient. The presence of the patient in an emergency room is directory information, and the announcement is a disclosure. If a patient objected to the release of directory information, then how would the nurse find the next patient? When disclosing directory information, privacy must yield to the practicalities of the world. Telling emergency room personnel that they must ask each patient for permission to call his or her name will only create burdens and unnecessary liability for providers. The same will be true in any physician's office. It is sufficient to allow a patient with a special concern about directory information to step forward with that concern and make a special arrangement. The Department should reexamine the lesson from the Maine health privacy law that the legislature withdrew and revised because it imposed impractical limitations on the operations of the health care system. The public will not tolerate a privacy law that is not practical and that imposes unreasonable burdens on patients and their families. End of Part 2 From owner-med-privacy@venice.essential.org Wed Dec 29 14:51:34 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 5CA4221B4F for ; Wed, 29 Dec 1999 14:51:34 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id OAA27805 for ; Wed, 29 Dec 1999 14:51:27 -0500 (EST) Message-ID: <386A65FC.5A023291@cais.com> Date: Wed, 29 Dec 1999 14:50:20 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HIPAA Privacy Regs 4 of 4 Part 3 (the last part) of my comments on the HIPAA privacy rules starts below the signature. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + Comments on the Proposed Standards for Privacy of Individually Identifiable Health Information Submitted by Robert Gellman Privacy and Information Policy Consultant 431 Fifth Street SE Washington, DC 20003 202-543-7923 Part 3 of 3 Banking and Payment Processes The proposed rule addresses a problem, but the rule is too broad. Disclosures to a bank or other financial institution without express patient consent should only be permitted after a patient offers a check, credit card, or other payment method to the provider. The presentation of a payment method is the moral equivalent of consent for disclosures necessary to complete the transaction. The rule should expressly make payment disclosures contingent on a prior patient action. Presentation of a check or credit card or a standing authorization of a payment method would suffice. However, it should be improper to assume that a patient who previously paid by credit card intended to continue that payment method without evidence supporting the intention. No provider should be able to query banks or other institutions looking for someone who has funds to pay a bill. Further, the provision should expressly exclude bill collectors from receiving information. Bill collectors should be business partners and fully subject to the rule because of their relationship with providers. Disclosures to credit bureaus by covered entities should require patient consent unless a limited disclosure reveals no protected health information at all. However, a credit card company should be able to disclose an unpaid bill to a credit bureau under applicable law even if the bill covers health care services. A disclosure to the credit bureau would not normally identify the nature of the transaction that gave rise to the debt, unless the credit card is exclusively for health expenses. Finally, the rule should expressly ban the disclosure to financial institutions of any diagnostic information or other detailed treatment information. If questions arise about a transaction that might justify any detailed disclosure, then patient involvement and express consent should be required. The suggestion in the commentary that disclosures be limited to specific data elements is entirely appropriate, but the rule should expressly list the elements. Research I support access to records by researchers without patient consent under the general terms suggested in the proposed rule. I support researcher access even though the research community has done a consistently poor job of explaining to the public why it needs identifiable patient records without consent. I believe that the public interest justifies disclosures under proper supervision by IRBs. The proposed additions to the Common Rule are reasonable. The Department should ignore the mewing of some researchers who do not want to accept any additional responsibility for the protection of the records that they need. Researchers are so convinced that their work is in the public interest that they have not bothered to try to make the case publicly. It would not take much of an effort to arouse public concern about researcher access and to overturn the generally open access to records that the research community has been able to maintain for many years. Complaints that a new privacy rule will make it harder to convince record keepers to share records with researchers should be ignored as well. No matter what the rule provides, record keepers will inevitably be more wary about disclosing records in the future. Some new additional limitations and refusals are inevitable. This would be true even if the rule allows unrestricted access for research or grants record keepers full immunity from liability for researcher disclosures. It would also be true even if the Department withdraws the rule and no legislation ever passes. Greater public concern about privacy has permanently altered the environment for disclosure of personal information. In any event, researchers propose more good research than can possibly be funded - even with increased budgets - so that if some projects become impossible because of changing attitudes on information sharing, other good research will take its place and benefit the public just as much. I have several suggestions for Department actions on research, not all of which necessarily call for changes in the proposed rule. If changing the rule is not appropriate to satisfy these suggestions, the Department should use other existing authority to accomplish the objective. First, IRB members should be required to undergo privacy training. This can be accomplished in a variety of low-cost, administratively simple ways. Privacy training should be mandatory for IRB chairs can co-chairs. Other IRB members should have to undergo training on a rotating and periodic basis (e.g., every two years). Second, IRBs should be required to have at least one person with professional training or experience in either privacy or security. Third, IRBs should be required to maintain websites and to publicly post information about proposed or approved projects. Fourth, the Department asked for comment about the possibility of using contracts with covered entities regarding access to and use of patient records. This is an idea worth exploring, but it is not something that should be generally required at this time. Instead, the Department should accept the initial burden of testing the idea by imposing a requirement for contracts as a condition of access to its own records. This test would provide an opportunity to see how the idea works in an environment where most of the costs of the contracting itself would be borne by the Department. A modest test would provide a better assessment of the practicality and administrative consequences of mandating contracts more generally. Any contracts should be written to treat a record subject as a third party beneficiary so that the subject could sue for breaches of privacy. Fifth, some in the research community routinely state in public that there have been no breaches of confidentiality by researchers. No one has attempted to study this issue, and I recommend that the Department take steps to collect data. Based on anecdotal evidence, it appears that some examples can be found readily. If initial findings warrant further action, the Department might consider initiating a full investigation. We need to know the scope of researcher misuse of patient information. The proposed rule about individual access to records of clinical trials also requires some adjustment. The rule limits access as long as a trial is still in progress. I do not believe that any limitation on patient access is appropriate. Patients have rights of access today under the Privacy Act and under some state laws. No one has offered evidence of a single clinical trial that was unduly disrupted by patient access. Researchers can explain the need for double-blind studies to participants, and many will agree to defer access. Those who do not understand or agree can always can drop out of a trial and disrupt it that way. Further, the limitation will only motivate patients to file malpractice suits against researchers to obtain access. Also, because state laws often provide for patient access, the clinical trial exception is only likely to be available occasionally. Some trials last for decades, and this rule will make it impossible for patients to obtain their records although they are not participating in the trial anymore. The restriction on access could still be in place years after a patient died. If the rule retains any limitation on access, it should nevertheless require access if a patient is no longer a participant. In addition, if a patient seeks access to information for medical reasons relating to treatment, access should be required. It would be unethical and outrageous to deny a patient access to records if the patient has received drugs or treatment that negatively affected his or her health. It is my understanding that these disclosures are often required as part of the approval process for clinical trials. The commentary suggests later that disclosures for treatment should be permitted where appropriate. This is a lovely sentiment, but it is meaningless unless stated as a mandatory exception in the rule itself. Finally, the clinical trial exception should make it clear that the exception has no bearing on patient access in litigation. Next-of Kin The rule's next-of-kin provision is another example of a policy that is impractical. I recommend that next-of-kin disclosures be allowed for oral disclosures of protection health information about an individual to the next-of-kin or to a person with whom the individual has a close personal relationship if (a) the entity has no reason to believe that the individual would consider the information to be especially sensitive; (b) the individual has not previously objected; (c) the disclosure is consistent with good medical or other professional practice; and (d) the disclosure is limited to information about current health care treatment. See, e.g., section 114 of H.R. 52, 105th Congress. Requiring verbal agreement by patients will not work well in the real world. Lawyers for covered entities are still likely to insist on a writing to prove that the entity asked and that the patient agreed. Without documentary evidence, an entity faces the prospect of liability for any disclosure just on procedural grounds. It is easy to envision circumstances in which the failure to obtain verbal consent will create real world disruptions. The commentary seeks to deal with some (e.g., disclosures by a pharmacist), but the attempt to create exceptions in this fashion is directly inconsistent with the stated rule. If the Department can tolerate these "loopholes", it should do so more generally. The overwhelming impracticality of the requirement for verbal agreements will increase cost, create enormous disruptions and impositions, and ultimately undermine the entire privacy effort. Once again, I refer to the recent Maine example where the legislature withdrew a rule that violated the expectations of patients and unduly burdened patients and their families. See also the discussion of the next-of-kin issue in Committee on Government Operations, Health Security Act, H.R. Rep. No 103-601 Part 5, 103d Congress at 116 (report to accompany H.R. 3600) (1994). Specialized Classes (Military, Intelligence Community, Veterans Affairs, and State Department) The special rules provided in this section are too broad, except the rule for the Department of Veterans Affairs. The VA exception is the only one that seems narrow and specifically responsive to an apparent need. In the other cases, the government may have some legitimate needs for access to health records for individuals in the military and intelligence community, and, less likely, the Foreign Service. However, the permitted disclosures are too broad and do not include adequate procedural protections for patients. In most cases, the consent of the record subject should be sought as a first resort, except in emergency circumstances. Only where there is a demonstrable reason that consent is inappropriate should the rule authorize other methods of access. The requirement for publication of a notice by the Armed Forces is a step in the right direction, although it does not go far enough by requiring public comment. At a minimum, intelligence agencies and the State Department should be required to publish a similar rule defining the scope and circumstances of access to health records. The Foreign Service disclosures are especially troublesome. I cannot imagine why the State Department needs to obtain health records of Foreign Service members or of family members of those who may serve abroad without any notice or consent. Exceptions to consent because of the laziness of program administrators should never be granted. The State Department has no comparable authority today to obtain health records without consent. If the State Department's current inability to obtain records without consent creates insurmountable difficulties, the case has not been presented publicly. Consent should be the preferred and only method for access for Foreign Service disclosures. The same policy should apply to family members of employees in the intelligence community. If consent for necessary disclosures cannot be obtained, the proper remedy is to deny the foreign assignment. Obtaining information without consent is inappropriate, and it will likely conflict with state laws and policies on confidentiality. Because stronger state laws will continue to apply, the best that this rule could accomplish is to authorize requesting disclosures in some states but not others. Regardless, it is difficult to envision circumstances that would prompt a physician to disclose patient records to the State Department. Rights of Individuals Any covered entity that maintains a website for public use should be required to post its current notice of information practices on the web for public inspection. If an entity does not maintain a website, the public posting rule should not apply until the covered entity otherwise establishes a website. The rule proposes to allow a covered entity to change its notice any time. This is a difficult issue, and the rule takes a practical position. However, the Department should consider efficient ways to make covered entities more accountable for their privacy policies and changes to privacy notices. First, a covered entity should be required to maintain for public inspection a log of all past notices with changes highlighted. Second, if a covered entity maintains a website for use by patients or by the public, it should be required to put a log of all notices and changes on the website. Public disclosure of changes will provide some degree of accountability by inhibiting entities from making unreasonable or unnecessary changes. Third, covered entities that have Internet capabilities should be required to establish listservs for sending email notification of any change to the standard patient notice. Snail mail notices would probably be too expensive to justify. Email notices would be nearly cost-free. Anyone should be able to subscribe to the listserv at no cost. A covered entity affirmatively required to notify patients and, perhaps, the local newspaper, may think twice about making a change that would undermine patient privacy interests. Access for Inspection or Copying The rule permits a covered entity to deny access when a disclosure would be reasonably likely to endanger life or physical safety of the individual or another person. I disagree with the policy, at least in so far as it permits the withholding of information from a patient, because the patient would be placed in danger. The circumstances that would trigger this type of denial are so unlikely that the exception is not worth keeping. There is no evidence from experience with the Privacy Act of 1974 or state laws or policies regarding patient access that this exception is justified. Patients should be able to obtain access to their own records without any concern about the consequences to themselves. Regardless, it is a mockery of informed consent that a patient can authorize the disclosure of a record but cannot see the record. By allowing a covered entity to deny access on the basis that disclosure will harm the subject of the record (no matter the standard), the rule allows for a complex and expensive administrative process. Record keepers may simply refuse all requests until the provider who created the record determines in writing that disclosure will not cause harm. An insurer or health plan that is not a provider could use this excuse to delay or deny all patients with access. Providers who are most capable of making the determination may have no incentive to do so, and they may simply ignore or delay responding to requests from covered entities for opinions. The result will be that any covered entity can use potential harm to the patient as an excuse for not complying with an access request. The availability of procedural denials and delays creates an opportunity for covered entities to deny patients their rights. If retained, the exception should include these safeguards: 1) the exception should be considered to be permanently waived if not properly invoked within thirty days; 2) the rule should expressly provide that the exception cannot be used to withhold an entire record; 3) covered entities should be required to use the exception in good faith; 4) the burden of justifying the exception should expressly belong to the record keeper, and the record keeper should be expressly prohibited from asking the record subject to obtain approval from previous providers; and 5) all determinations of harm must be made by health professionals who must be identified by name if an individual is denied access to a record on the basis of a finding of harm. By creating an exception that requires record keepers to exercise judgment, the rule creates an unnecessary liability. Covered entities that receive requests will worry that they will be liable if a disclosure results in harm, no matter how unlikely it may be. A rule that did not allow for an exception based on harm to the record subject would not present the same concern about liability. The result would be a simpler administrative process, more ready patient access, and less stress for covered entities. The rule permits a covered entity to charge a reasonable, cost-based fee for copying. I do not object to permitting a fee, but the rule should be more specific. We have enough experience from the early days of the Freedom of Information Act to know that a loosely drafted fee schedule will result in high fees that impede access to records. A fee that is three times the direct and indirect cost may qualify as "cost-based" and still be excessive. I suggest that the fee be limited so that it does not exceed the lowest standard charge imposed by the covered entity for providing copies in other circumstances. In the alternative, the fee should be limited to direct costs of copying under a published fee schedule. Accounting of Disclosures The rule does not require disclosure to the record subject of any accounting records for disclosures for treatment, payment, and health care operations. This is a curious and mistaken choice. If audit trails of disclosures for treatment, payment, and health care operations exist, then record subjects should have the right to see the audit trails. Some institutions already maintain complete audit trails, and there is no reason to deny record subjects access to the trials when they exist. Whether audit trails are valuable enough to require for all disclosures is a more complex decision. Routine activities for a single hospitalized patient may result in dozens or even hundreds of audit trails a day. An enormous volume of records would be created if the rule required recording all accesses. On the other hand, audit trails have great potential for preventing abuse of records or for identifying miscreants. Because most abuses are the result of activity by insiders, excluding disclosures for treatment, payment, and health care operations from an audit trail requirement would destroy the deterrent value of the audit trails. The rule should not discourage institutions from maintaining full audit trails. However, when the audit trails exist, record subjects should have access to them. Audit trails for paper records are too expensive to require. Similarly, disclosures of information between providers through personal communications would also be expensive and cumbersome to record in an audit trail. However, when access to records comes through a computer, maintaining an audit trail is simple because it can be accomplished automatically. I recommend that the rule require audit trails for treatment, payment, and oversight (as well as all other disclosures) for computer systems. The requirement should be prospective so that it only applies to new computer systems placed in service at some time in the future. If record keepers have sufficient notice of the requirement, it will be relatively easy to include an audit trail capability at little additional cost. The rule allows an exclusion from the audit trail requirement for law enforcement or health oversight disclosures on written request. Under this rule, it will be routine for law enforcement and oversight agencies to seek exclusion from accounting every time they request a health record. Police or fraud investigators will enter a hospital, wave a badge, and offer a 27th generation photocopy of a boilerplate demand for accounting exclusion. This should not be acceptable. If there is an adequate reason for exclusion, the rule should require a court order. Obtaining a court order will establish a sufficiently high procedural barrier so that exclusions will not be sought casually. In the alternative, if a written request for exclusion is acceptable, the request should be dated, signed by supervisory official, and contain a certification that the official is personally familiar with the purpose of the request and the justification for exclusion from accounting. It would be better if the rule required that the entire request for exclusion be hand written by the supervisory official. Amendment or Correction The rule permits a covered entity to refuse a request for correction if it did not create the information at issue. This limitation makes the amendment process a mockery. For example, many records at insurance companies will not be correctable because insurance company records mostly consist of claims from providers. The insurance company can refuse most requests for correction on strictly procedural grounds. At hospitals, incorrect records created by providers long-since dead or by health plans no longer in operation could remain uncorrected. ("We recognize that you contend your child is a male, but the record we received from your health plan says that the child is a female, and we don't have to consider your request for a correction.") Lazy administrators may simply pass the buck to someone else, who may deny creating or disclosing the record, who may just say that an old record cannot be located, or who may simply ignore a request that is not about a current patient. The proposed rule for correcting a record may force a patient back through a trail of record keepers that extends for decades. It will be an impossible challenge. Even worse, the rule actually provides a defense to a hospital that does not want to correct a record that came from another source. Ethically, a provider would have an obligation to make sure that a questioned record is accurate. Under the rule, not only does a provider have no such obligation, it has a defense should it choose to deny a request for correction. ("The Secretary said that we don't even have to consider your request for correction.") Consider the following scenario: An insurance company denies the claim of John Jones, Jr., for payment for an appendectomy on the grounds that he had an appendectomy last year. Jones says that it was his father who had an appendectomy last year. The insurance company can refuse to consider the request for correction because it received the information from the hospital. The hospital says that its records are correct and that the insurance company made the mistake. John Jones has no remedy under the rule, and the insurance company has a procedural excuse for refusing to correct the record and for denying the claim. If a covered entity uses health information to make decisions about an individual, it must be required to consider in good faith any request for correction or amendment. The proposed rule is perverse in that it establishes a policy that allows a covered entity to use information to affect the rights, benefits, or treatment of an individual but it does not require the entity to even consider a request for amendment in some circumstances. It is not necessary to require a covered entity to change a record that it did not create in all circumstances, but the covered entity must be required to consider the request in good faith if it is using the information to make decisions about the record subject. If requiring some record keepers to consider correction requests makes no sense (e.g., clearinghouses), then exempt those record keepers from the rule. The current exemption is the wrong way to solve the problem. ##### From owner-med-privacy@venice.essential.org Thu Dec 30 16:43:09 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id ED3B521B08 for ; Thu, 30 Dec 1999 16:43:05 -0500 (EST) Received: from ix.netcom.com (user-2ini8mg.dialup.mindspring.com [165.121.34.208]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id QAA16137; Thu, 30 Dec 1999 16:43:00 -0500 (EST) Message-ID: <386BD310.9623F42C@ix.netcom.com> Date: Thu, 30 Dec 1999 13:48:05 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------ECFB3A3ADCE2E6FBCEC0005D" Subject: [Med-privacy] Surgeon General's Report This is a multi-part message in MIME format. --------------ECFB3A3ADCE2E6FBCEC0005D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable > http://www.medscape.com/Medscape/psychiatry/journal/1999/v04.n06/mh1221= =2Ekenn/mh1221.kenn-02.html > = > ---------------------------------------------------------------------= --- > First Surgeon General's Report on Mental Health > = > ---------------------------------------------------------------------= --- > = > Dr. Satcher's Mental Health Report = = = [....] > Chapter 7. Confidentiality of Mental Health Information [....] > = Copyright =A9 1994-1999 by Medscape Inc. --------------ECFB3A3ADCE2E6FBCEC0005D Content-Type: text/html; charset=iso-8859-1; name="mh1221.kenn-02.html" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="mh1221.kenn-02.html" First Surgeon General's Report on Mental Health
3D"Click
[Medscape Mental Health 4(6), 1999. © 1999 Med= scape, Inc.]

Dr. Satcher's Mental Health Report

Message From Donna E. Shalala, Secretary of Health and Human Serv= ices

Foreword

Preface

Acknowledgments

T= able of Contents

Chapter 1. Introduction and Themes

Chapter 2. The Fundamentals of Mental Health and Mental Illness

Chapter 3. Children and Mental Health

Chapter 4. Adults and Mental Health

Chapter 5. Older Adults and Mental Health

Chapter 6. Organizing and Financing Mental Health Services

= Chapter 7. Confidentiality of Mental Health Information

Chapter 8. A Vision for the Future

List of Tables and Figures

   
CONTENTS
Special Mental Health Report - First Surg= eon General's Report on Mental Health
SIDE BAR
3D"clear
Dr. Satcher's Mental Health Report

INTERACT
Email this article to = a colleague.
3D"clear
=

RECOMMENDED LINKS
Our editor's recommendations for related articles, web pages, patient inf= ormation, and similar resources are located here.

  Home   Site Map<= /FONT>   Marketplace   My Medscape   CME Cen= ter   Feed= back   = Help Desk

= Me= dscape Search Options
Select a database to search, enter a search term, then click = “go.”    Advanced Search&nbs= p;Forms

All material on this we= bsite is protected by copyright. Co= pyright © 1994-1999 by Medscape Inc. All rights reserved. This= website also contains material copyrighted by 3rd parties. CME means Continuing Medical Education c= redit is available. Medscape requires 3.x browsers or better from Netscape or Microsoft.
--------------ECFB3A3ADCE2E6FBCEC0005D-- From owner-med-privacy@venice.essential.org Thu Dec 30 18:51:22 1999 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from web802.mail.yahoo.com (web802.mail.yahoo.com [128.11.23.62]) by venice.essential.org (Postfix) with SMTP id 046DE21B08 for ; Thu, 30 Dec 1999 18:51:22 -0500 (EST) Received: (qmail 3715 invoked by uid 60001); 30 Dec 1999 23:51:23 -0000 Message-ID: <19991230235123.3714.qmail@web802.mail.yahoo.com> Received: from [198.139.141.131] by web802.mail.yahoo.com; Thu, 30 Dec 1999 15:51:23 PST Date: Thu, 30 Dec 1999 15:51:23 -0800 (PST) From: Whistle To: med-privacy@venice.essential.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1804289383-946597883=:3234" Subject: [Med-privacy] Fwd: [DOEWatch] TV Programming announcement--Premiere of "Declassified: Human Experimentation" --0-1804289383-946597883=:3234 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Note: forwarded message attached. ===== Thistle __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://messenger.yahoo.com --0-1804289383-946597883=:3234 Content-Type: message/rfc822 X-Apparently-To: weeethistle@yahoo.com via web802.mail.yahoo.com X-Track2: 2 X-Track: -50 Received: from pop5.onelist.com (HELO onelist.com) (209.207.164.53) by mta133.mail.yahoo.com with SMTP; 30 Dec 1999 02:43:49 -0000 Received: (qmail 26572 invoked by alias); 30 Dec 1999 02:39:41 -0000 Received: (qmail 23938 invoked from network); 30 Dec 1999 02:38:00 -0000 Received: from unknown (209.207.164.239) by pop5.onelist.com with QMQP; 30 Dec 1999 02:38:00 -0000 Received: from unknown (HELO imo-d06.mx.aol.com) (205.188.157.38) by 209.207.164.239 with SMTP; 30 Dec 1999 02:38:05 -0000 Received: from Magnu96196@aol.com by imo-d06.mx.aol.com (mail_out_v24.6.) id h.0.c414a638 (1813) for ; Wed, 29 Dec 1999 21:38:04 -0500 (EST) From: Magnu96196@aol.com Message-ID: <0.c414a638.259c1f8b@aol.com> Date: Wed, 29 Dec 1999 21:38:03 EST To: doewatch@onelist.com MIME-Version: 1.0 X-Mailer: AOL 3.0 for Windows 95 sub 52 Mailing-List: list doewatch@onelist.com; contact doewatch-owner@onelist.com Delivered-To: mailing list doewatch@onelist.com Precedence: bulk List-Unsubscribe: Subject: [DOEWatch] TV Programming announcement--Premiere of "Declassified: Human Experimentation" Content-Type: multipart/mixed; boundary="onelist.6253.13394" Content-Length: 2284 --onelist.6253.13394 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The World Premiere of "Declassified: Human Experimentation" (The secret history of U.S. military experiments conducted on millions of unwitting citizens) will air on the History Channel January 8, 2000, 8:00 p.m. EST ------------------------------------------------------------------------ DOEWatch List ----A Magnum-Opus Project --- The real Natl. Sec. Directive Subscribe online: http://www.onelist.com -based near the cryptic named X-10 [god and ten commandments] and Y-12 [yahweh and disciples] nuke weapons plants of the nuclear tabernacle of Oak Ridge. "If the radiance of a thousand suns were to burst at once into the sky That would be like the splendor of the Mighty one... I am become Death, The shatterer of Worlds." -Oppenheimer July 16, 45 at Trinity from 5,000 year old Bhagavad-Gita "We have discovered the most terrible bomb in the history of the world. It may be the fire destruction prophesized in the Euphrates Valley Era, after Noah and his fabulous Ark. Anyway we think we have found the way to cause the disintegration of the atom." -Quote from Truman's diary July 25, 45 after Pottsdam and the "baby was born" and grew into "Little Boy" and "Fat Man" and the hydrogen bomb delivered by bomber named "Dave's Dream." Enola Gay's pilot, after Hiroshima, enters "My God' in the log. "The Doctor of the future will give No Medicine, but will interest his patients in the care of the human frame, in diet, and in the cause and prevention of disease." -Attributed to Thomas Alva Edison "In a time of universal deceit, telling the truth is a revolutionary act" -George Orwell DOEWatch page: http://members.aol.com/doewatch --onelist.6253.13394 Content-Type: text/html; charset="us-ascii" Content-transfer-encoding: 8bit


Click Here
--onelist.6253.13394 Content-Type: text/plain; charset="us-ascii" Content-transfer-encoding: 8bit --onelist.6253.13394-- --0-1804289383-946597883=:3234-- From owner-med-privacy@venice.essential.org Fri Jan 7 16:25:16 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from stmpy.cais.net (stmpy.cais.net [199.0.216.101]) by venice.essential.org (Postfix) with ESMTP id 37ED921B09 for ; Fri, 7 Jan 2000 16:25:16 -0500 (EST) Received: from cais.com (dup-207-176-73-166.cais.net [207.176.73.166]) by stmpy.cais.net (8.8.8/8.8.8) with ESMTP id QAA24609; Fri, 7 Jan 2000 16:25:10 -0500 (EST) Message-ID: <387659AF.AC265E95@cais.com> Date: Fri, 07 Jan 2000 16:25:03 -0500 From: Robert Gellman X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Privacy Bibliography I maintain a health privacy bibliography, and I have distributed earlier version of it here and elsewhere on the Net from time to time. It has gotten a bit too long for that now, and the nice folks at the Electronic Privacy Information Center have agreed to maintain it at their website. It is public domain material and available for your use at: http://www.epic.org/privacy/medical/gellman.html Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman + + Privacy and Information Policy Consultant + + 431 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + From owner-med-privacy@venice.essential.org Sat Jan 8 15:41:12 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 18DC021B05 for ; Sat, 8 Jan 2000 15:41:11 -0500 (EST) Received: from ix.netcom.com (stl-wa36-23.ix.netcom.com [207.220.42.151]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id PAA17977; Sat, 8 Jan 2000 15:41:05 -0500 (EST) Message-ID: <3877A22B.76B635FC@ix.netcom.com> Date: Sat, 08 Jan 2000 12:46:52 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------10098F2BCC1B9205A7A2B9C3" Subject: [Med-privacy] med-privacy: WA patients rights bill (edited) This is a multi-part message in MIME format. --------------10098F2BCC1B9205A7A2B9C3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------10098F2BCC1B9205A7A2B9C3 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="6199" Content-Transfer-Encoding: 7bit Content-Description: Netscape Communicatorª Document Content-Disposition: inline; filename="6199" Content-Base: "file:///6%3A22%3A99/Desktop%20Folder/6 199" 6199  
S-3567.1 _______________________________________________

SENATE BILL 6199
_______________________________________________

State of Washington 56th Legislature 2000 Regular Session

By Senators Wojahn, Winsley, Thibaudeau, Snyder and Goings

AN ACT Relating to health care patient protection
 

{+ NEW SECTION. +} Sec. 1. PATIENT RIGHTS. It is the intent of
the legislature that patients covered by health plans receive quality
health care designed to maintain and improve their health. The purpose
of this act is to ensure that health plan patients:
(1) Have improved access to information regarding their health
plans;
(2) Have sufficient and timely access to appropriate health care
services, and choice among health care providers;
(3) Are assured that health care decisions are made by appropriate
medical personnel;
(4) Have access to a quick and impartial process for appealing plan
decisions;
(5) Are protected from unnecessary invasions of health care
privacy; and
(6) Are assured that personal health care information will be used
only as necessary to obtain and pay for health care or to improve the
quality of care.

{+ NEW SECTION. +} Sec. 2. HEALTH INFORMATION PRIVACY. (1) Each
carrier that offers a health plan must develop and implement policies
and procedures governing the collection, use, and disclosure of health
information. These policies and procedures must include methods for
enrollees to access information about themselves and to amend any
information that is inaccurate, for enrollees to restrict the
disclosure of sensitive information about themselves, and for enrollees
to obtain information about the carrier's health information policies.
In addition, these policies and procedures must include methods for
carrier oversight and enforcement of information policies, for carrier
storage and disposal of health information, and for carrier conformance
to state and federal laws governing the collection, use, and disclosure
of personally identifiable health information. Each carrier must
provide a summary notice of its health information policies to
enrollees, including the enrollee's right to restrict the collection,
use, and disclosure of their own health information.
(2) Except as otherwise required by statute or rule, or a carrier's
disclosure made pursuant to requirements in RCW 70.02.050 and 70.02.900
for health care providers, a carrier is, and all persons acting at the
direction of or on behalf of a carrier or in receipt of an enrollee's
personally identifiable health information are, prohibited from
collecting, using, or disclosing personally identifiable health
information unless authorized in writing by the person who is the
subject of the information. At a minimum, such authorization must be
valid for a limited time and purpose; be specific as to purpose and
types of information to be collected, used, or disclosed; and identify
the persons who will be receiving the information.
(3) Nothing in this section shall be construed to prevent: (a) The
creation, use, or release of anonymous data that has been coded or
encrypted to protect the identity of the individual, and for which
there is no reasonable basis to believe that the information could be
used to identify an individual; or (b) the release by a carrier of
personally identifiable health information for health research subject
to the requirements of the federal "common rule" at 21 C.F.R. Secs. 50
and 56 (1968) and 45 C.F.R. Sec. 46 (1972).
(4) The commissioner shall adopt rules to implement this section
and shall take into consideration health information privacy standards
recommended by the national association of insurance commissioners and
other related professional organizations.
(5) The commissioner shall enforce the provisions of chapter 70.02
RCW as they apply to carriers.

{+ NEW SECTION. +} Sec. 3. INFORMATION DISCLOSURE. (1) A carrier
that offers a health plan may not offer to sell a health plan to an
enrollee or to any group representative, agent, employer, or enrollee
representative without first offering to provide, and providing upon
request, the following information before purchase or selection:

(c) A statement of the carrier's policies for protecting the
confidentiality of health information;
 
 

{+ NEW SECTION. +} Sec. 16. This act may be known and cited as the health care
patient bill of rights.

{+ NEW SECTION. +} Sec. 19. To the extent permitted by law, if any provision
of this act conflicts with state or federal law, such provision must be construed in
a manner most favorable to the enrollee.

{+ NEW SECTION. +} Sec. 20. If any provision of this act or its application to
any person or circumstance is held invalid, the remainder of the act or the
application of the provision to other persons or circumstances is not affected.

{+ NEW SECTION. +} Sec. 21. APPLICATION. (1) This act applies to: Health
plans offered, renewed, or issued by a carrier; medical assistance provided under RCW
74.09.522; the basic health plan offered under chapter 70.47 RCW; and public employee
health benefits provided under chapter 41.05 RCW.
(2) Except as provided in section 14 of this act, this act applies to contracts
renewing after June 30, 2001.

{+ NEW SECTION. +} Sec. 22. Section 14 of this act takes effect July 1, 2001.

{+ NEW SECTION. +} Sec. 23. The following acts or parts of acts are each
repealed:
(1) RCW 48.43.075 (Informing patients about their care--Health carriers may not
preclude or discourage) and 1996 c 312 s 2;
  --------------10098F2BCC1B9205A7A2B9C3-- From owner-med-privacy@venice.essential.org Mon Jan 10 14:25:55 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp7.atl.mindspring.net (smtp7.atl.mindspring.net [207.69.128.51]) by venice.essential.org (Postfix) with ESMTP id C2E2E21AFF for ; Mon, 10 Jan 2000 14:25:54 -0500 (EST) Received: from ix.netcom.com (stl-wa36-23.ix.netcom.com [207.220.42.151]) by smtp7.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id OAA01744 for ; Mon, 10 Jan 2000 14:25:47 -0500 (EST) Message-ID: <387A338B.F2742975@ix.netcom.com> Date: Mon, 10 Jan 2000 11:31:36 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Subject: [Med-privacy] AMA approves new policy on medical records privacy Content-Type: multipart/mixed; boundary="------------EE8B8AA4F140BA46E53F8570" This is a multi-part message in MIME format. --------------EE8B8AA4F140BA46E53F8570 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > http://www.ama-assn.org/sci-pubs/amnews/pick_00/gvsf0103.htm > > ------------------------------------------------------------------------ AMA approves new policy on medical records privacy > New AMA policy sanctions the use of personal medical > [*]Medical information for public health and disease surveillance. > Markets > [*]Opinion By Jay Greene, AMNews staff. Jan. 3/10, 2000. > AMNews Interim Meeting '99 coverage - AMA's Interim > [*]Organized Meeting site. > Medicine ---------------------------------------------------------- > [*]Business San Diego -- With the Feb. 21 deadline nearing for final > & Technology federal rules governing privacy of electronic medical > records, the American Medical Association approved a > [*]Health & policy statement it plans to use to argue for changes in > Science the proposed regulations. > > E-mail alerts AMA officials said privacy and confidentiality of medical > Past issues records is essential to safeguard the physician-patient > Reader services relationship. > > Staff directory The new policy adopted by the AMA House of Delegates at > its Interim Meeting last month was crafted by the > Feedback Inter-Council Task Force on Privacy and Confidentiality > and builds on a package of task force recommendations > passed in June 1999 regarding the confidentiality of > patient information used for medical research. > > Waiting for federal regulations written by the Dept. of > Health and Human Services is the last thing the AMA > wanted. Under language in the Health Insurance > Portability and Accountability Act of 1996, Congress had > three years to develop legislation. When the > congressional deadline expired Aug. 21, 1999, HHS was > required by law to write regulations. The agency unveiled > its proposal last month. > > Spurred by many requests from the AMA, other medical > groups, consumer organizations and some congressional > lawmakers for more time to evaluate and respond to the > proposed regulation, HHS has extended the public comment > period from Jan. 3 to Feb. 17. > > "The AMA is pleased that the deadline was extended," said > AMA Trustee Donald J. Palmisano, MD, a co-chair of the > privacy task force. "These are extensive regulations, and > it is important that we fully review the regulations and > give appropriate comment." > > New AMA policy > > The Association will use the new AMA policy not only to > shape its response to the HHS proposal, but also to > influence the congressional debate over medical records > privacy that is expected next year, Dr. Palmisano said. > > Adding to the AMA's already lengthy list of policy, the > task force recommendations state that: > > * Disclosure of personally identifiable patient > information to public health physicians and > departments is appropriate for the purpose of > addressing public health emergencies or complying > with laws on public health reporting for disease > surveillance.. > > "The public health community was extremely helpful in > bringing us important information so that we could > develop policy that respects patient privacy and, at the > same time, protects the health of the patients in our > nation," Dr. Palmisano said. > > * Physicians should counsel patients, before genetic > testing, on the familial implications of genetic > test results, and emphasize the importance of > sharing results in instances where there is a high > likelihood that a relative is at risk of serious > harm aand could benefit from early monitoring. > * Patients should be notified of the sale or > discontinuation of a medical practice whenever > possible and asked for authorization to transfer > their medical records to new physicians or care > providers.. > * Only de-identified or aggregate data should be used > for "business decisions," including sales, mergers > and similar transactions when ownership or control > of records changes hands.. > * The most appropriate authority for considering > physician breaches of patient confidentiality is the > relevant state medical practice act.. > * Knowing and intentional breaches of patient > confidentiality represent a violation of the > professional practice of medicine.. > --------------EE8B8AA4F140BA46E53F8570 Content-Type: text/html; charset=us-ascii; name="gvsf0103.htm" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="gvsf0103.htm" AMNews: Jan. 3/10, 2000 ... American Medical News
AMNews

AMNews home

*Government
& Medicine
*Professional
Issues
*Medical Markets
*Opinion
*Organized
Medicine
*Business
& Technology
*Health & Science

E-mail alerts
Past issues
Reader services
Staff directory
Feedback

- American Medical News
GOVERNMENT & MEDICINE


AMA approves new policy on medical records privacy

New AMA policy sanctions the use of personal medical information for public health and disease surveillance.

By Jay Greene, AMNews staff. Jan. 3/10, 2000.
AMNews Interim Meeting '99 coverage - AMA's Interim Meeting site.

San Diego -- With the Feb. 21 deadline nearing for final federal rules governing privacy of electronic medical records, the American Medical Association approved a policy statement it plans to use to argue for changes in the proposed regulations.

AMA officials said privacy and confidentiality of medical records is essential to safeguard the physician-patient relationship.

The new policy adopted by the AMA House of Delegates at its Interim Meeting last month was crafted by the Inter-Council Task Force on Privacy and Confidentiality and builds on a package of task force recommendations passed in June 1999 regarding the confidentiality of patient information used for medical research.

Waiting for federal regulations written by the Dept. of Health and Human Services is the last thing the AMA wanted. Under language in the Health Insurance Portability and Accountability Act of 1996, Congress had three years to develop legislation. When the congressional deadline expired Aug. 21, 1999, HHS was required by law to write regulations. The agency unveiled its proposal last month.

Spurred by many requests from the AMA, other medical groups, consumer organizations and some congressional lawmakers for more time to evaluate and respond to the proposed regulation, HHS has extended the public comment period from Jan. 3 to Feb. 17.

"The AMA is pleased that the deadline was extended," said AMA Trustee Donald J. Palmisano, MD, a co-chair of the privacy task force. "These are extensive regulations, and it is important that we fully review the regulations and give appropriate comment."

New AMA policy

The Association will use the new AMA policy not only to shape its response to the HHS proposal, but also to influence the congressional debate over medical records privacy that is expected next year, Dr. Palmisano said.

Adding to the AMA's already lengthy list of policy, the task force recommendations state that:

  • Disclosure of personally identifiable patient information to public health physicians and departments is appropriate for the purpose of addressing public health emergencies or complying with laws on public health reporting for disease surveillance..

"The public health community was extremely helpful in bringing us important information so that we could develop policy that respects patient privacy and, at the same time, protects the health of the patients in our nation," Dr. Palmisano said.

  • Physicians should counsel patients, before genetic testing, on the familial implications of genetic test results, and emphasize the importance of sharing results in instances where there is a high likelihood that a relative is at risk of serious harm aand could benefit from early monitoring.
  • Patients should be notified of the sale or discontinuation of a medical practice whenever possible and asked for authorization to transfer their medical records to new physicians or care providers..
  • Only de-identified or aggregate data should be used for "business decisions," including sales, mergers and similar transactions when ownership or control of records changes hands..
  • The most appropriate authority for considering physician breaches of patient confidentiality is the relevant state medical practice act..
  • Knowing and intentional breaches of patient confidentiality represent a violation of the professional practice of medicine..

In other action, the house approved a resolution that calls for the AMA to work with the American Society of Addiction Medicine, the American Psychiatric Assn. and other medical organizations to ensure that impaired physicians have a right to medical confidentiality from their patients.

Several courts in recent years have ruled that physicians with HIV or who are chronic alcoholics or cocaine users have a duty to disclose those facts to patients. The AMA believes disclosure requirements will discourage physicians from seeking needed treatment.

Under ethics guidelines, the AMA already requires impaired physicians to seek help.

Back to top.





American Medical Association Navigation
--------------EE8B8AA4F140BA46E53F8570-- From owner-med-privacy@venice.essential.org Fri Jan 14 15:47:29 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 26DF521B06 for ; Fri, 14 Jan 2000 15:47:25 -0500 (EST) Received: from ix.netcom.com (user-2ini8po.dialup.mindspring.com [165.121.35.56]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA05861; Fri, 14 Jan 2000 15:47:12 -0500 (EST) Message-ID: <387F8CAD.891A0C03@ix.netcom.com> Date: Fri, 14 Jan 2000 12:53:21 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------B951E1BB634170E2E57B212D" Subject: [Med-privacy] med-privacy: RWJ "HealthKey" program (release) This is a multi-part message in MIME format. --------------B951E1BB634170E2E57B212D Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable > SEATTLE, Jan 11, 2000 (BUSINESS WIRE) -- > = > The Robert Wood Johnson Foundation Expands Support to Massachusetts, Mi= nnesota, North Carolina, Utah and Washington > = > The Princeton, New Jersey-based Robert Wood Johnson Foundation has auth= orized a two-year, $2.5 million grant that will provide continued support= to promote electronic commerce in the health industry and enhance the he= alth information infrastructure in five states. > = > A consortium of five health information organizations spanning the nati= on will focus on testing appropriate uses of technology and determining b= est practices for protecting individuals' privacy. The program will be ca= lled HealthKey ( www.healthkey.org). > = > The organizations that will benefit directly from the grant are: Massac= husetts Health Data Consortium (MHDC), Minnesota Health Data Institute (M= HDI), North Carolina Health Information and Communications Alliance (NCHI= CA), Utah Health Information Network (UHIN) and the Pacific Northwest-bas= ed Community Health Information Technology Alliance (CHITA) which is a pr= ogram of the Foundation for Health Care Quality in Seattle. Each organiza= tion will lead regional efforts to test secure technologies and understan= d the business and social implications for the health industry. > = > "In essence, sending e-mails across today's Internet is like having an = old fashioned party-line for your home telephone," said Elizabeth Ward, c= hief executive officer of the Foundation for Health Care Quality. "No one= wants their e-mail -- especially when it pertains to highly personal or = confidential medical matters to be exposed or accessible. And, secure e-m= ail is just one area where e-business can respond to the growing demands = for proper use of technology in the health industry." > = > The HealthKey program participants will explore solutions for a variety= of healthcare business-to-business problems. One solution being consider= ed by the participants is Public Key Infrastructure (PKI). PKI can increa= se confidence in electronic information systems by combining the issuance= of digital certificates (to confirm the identity of individuals and orga= nizations) with the encryption of electronic messages to protect personal= ly identifiable information during transmission. > = > A major focus of the program is to share knowledge and lessons learned.= Through these efforts, many organizations and communities across the cou= ntry will be able to accelerate development of more efficient ways to pro= tect and share health information. The program will develop a web site, w= ww.healthkey.org, as one means to disseminate work products and solicit b= road feedback. > = > "This multi-state effort will aggressively pursue technology demonstrat= ions of secure and confidential transmission of health data," said the He= althKey Program Coordinator, Laura Ripp. "Our collaborative work will foc= us on making the best use of secure Internet technologies and facilitatin= g health organizations -- from insurers and hospitals to state agencies -= - to satisfy business needs using available technology and national stand= ards. Our work will stress that individual privacy protections, ease of u= se, reliability, affordability and interoperability are critical to wides= pread adoption." > = > "Activities in five states related to health privacy and secure transmi= ssion of patient data will get a boost from this cross-state collaboratio= n," said Ward. "By building community consensus, these five organizations= can provide leadership in health technology that is greatly needed." > = > The grant will be administered by the Seattle-based Foundation for Heal= th Care Quality, a 10-year-old non-profit organization that focuses its p= rograms in three areas: consumer health issues, quality measurement and e= lectronic commerce. > = > About the Massachusetts Data Consortium > = > The Massachusetts Health Data Consortium was founded in 1978 by the sta= te's major public and private healthcare organizations to serve as a neut= ral agency to collect, analyze and disseminate health care information. I= n 1995, Elliot M. Stone, the Consortium's CEO, helped found the Affiliate= d Health Information Networks of New England project, a collaborative eff= ort currently consisting of the chief information officers of 26 healthca= re organizations and 8 information technology companies/consultants. The = mission of the Affiliated Networks is "to improve the state's health care= information infrastructure by fostering the growth of a variety of healt= h information networks, building on systems already in place, while encou= raging collaboration and standardization among these networks." The CIO F= orum of the Affiliated Networks has agreed to cooperate on four projects:= secure messaging, provider databases, standardized enrollment transactio= ns, and standards for physician desktop computers. > = > About the Minnesota Health Data Institute > = > "The Internet has become one of the more powerful information and commu= nication resources in the world today, and we need to make it secure and = reliable enough to support the exchange of health information," said Walt= er Suarez, MD, Executive Director of the Minnesota Health Data Institute.= "We are very pleased with the opportunity to participate in this grant a= nd partner with the other four states in advancing the use of health care= electronic commerce in our nation." The Institute is a non-profit public= -private partnership established in 1993 by the Minnesota Legislature to = support the information needs of consumers, purchasers, providers, plans = and other stakeholders in measuring and improving the quality and efficie= ncy of health care services in Minnesota. One of its programs is the Minn= esota Center for Healthcare Electronic Commerce (MCHEC), the first indepe= ndent education and resource center dedicate exclusively to promoting the= use of electronic commerce within the health care > industry. > = > About the North Carolina Healthcare Information and > = > Communications Alliance, Inc. > = > The North Carolina Healthcare Information and Communications Alliance, = Inc. (NCHICA) is a nonprofit consortium of over 140 health care providers= , health plans, professional associations, government agencies, health re= search and pharmaceutical companies, and vendors who collaborate to plan = and implement standards-based technology to improve health care in the re= gion. Formed in 1994 by Executive Order of Governor James B. Hunt, Jr. an= d under the leadership of executive director Holt Anderson, NCHICA has be= en very active in the development of model privacy legislation, secure In= ternet technologies and clinical applications that require the innovative= application of technology and communications. > = > About the Utah Health Information Network > = > Under the leadership of executive director Bart Killian, the Utah Healt= h Information Network will be using an Internet based product with digita= l signature in accordance with the Utah State Law on Digital Signature to= secure the privacy of both patients and providers. Funding from The Robe= rt Wood Johnson Foundation will work to support this vital application of= encryption and authentication for the transmission of electronic health = care information in Utah. > = > About the Community Health Information Technology Alliance > = > Based in the Pacific Northwest, CHITA is the Community Health Informati= on Technology Alliance. Part of the non-profit Foundation for Health Care= Quality, CHITA's purpose is to improve the effectiveness of the health s= ystem by expanding the use of electronic business in a manner that will s= erve and protect the consumers of health care and the members of CHITA. C= HITA was founded in 1997 and membership includes hospitals and health car= e provider organizations, insurance companies and state agencies. Funding= from the HealthKey project will be used to pilot security models among C= HITA's members and coordinate CHITA's privacy initiatives with real world= business objectives. > Copyright =A9 2000, Business Wire --------------B951E1BB634170E2E57B212D Content-Type: text/html; charset=us-ascii; name="FB20000111220000251.html" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="FB20000111220000251.html" Health Privacy and Technology Effort Receives $2.5 Million National Grant For Five-State Project

Northern Light Technology Inc

Return to Results
New Search
Accounts
Business Wire
Title:   Health Privacy and Technology Effort Receives $2.5 Million National Grant For Five-State Project
 
Summary:     SEATTLE, Jan 11, 2000 (BUSINESS WIRE) --; The Robert Wood Johnson Foundation Expands Support to; Massachusetts, Minnesota, North Carolina, Utah and Washington

----------
 
Source:  Business Wire
Date:  01/11/2000 09:16
Price:  Free
Document Size:  Medium (3 to 7 pages)
Document ID:  FB20000111220000251
Subject(s):  Adoption; Business; Clinical; Commerce; Communications; Community; Consumer; E-Mail; Education; England; Executive; Foundation; Government; Grants; Health; Healthcare; Insurance; Internet; Law; Legislation; Massachusetts; Medical; Minnesota; New Jersey; Newsgrid; Nonprofit; North Carolina; Partnership; Philanthropy; Pilot; Products; Profit; Research; Security; Standards; Technology; USA; Utah; Washington; Web
Document Type:  Press releases
 
Money Back Guarantee   If you buy an article and you are not satisfied with it, let us know and we will refund your money - no questions asked. Please press the "Money Back Guarantee" link for additional information about this policy.
 
 
  Business Wire

Health Privacy and Technology Effort Receives $2.5 Million National Grant For Five-State Project

Story Filed: Tuesday, January 11, 2000 9:16 AM EST

SEATTLE, Jan 11, 2000 (BUSINESS WIRE) --

The Robert Wood Johnson Foundation Expands Support to Massachusetts, Minnesota, North Carolina, Utah and Washington

The Princeton, New Jersey-based Robert Wood Johnson Foundation has authorized a two-year, $2.5 million grant that will provide continued support to promote electronic commerce in the health industry and enhance the health information infrastructure in five states.

A consortium of five health information organizations spanning the nation will focus on testing appropriate uses of technology and determining best practices for protecting individuals' privacy. The program will be called HealthKey ( www.healthkey.org).

The organizations that will benefit directly from the grant are: Massachusetts Health Data Consortium (MHDC), Minnesota Health Data Institute (MHDI), North Carolina Health Information and Communications Alliance (NCHICA), Utah Health Information Network (UHIN) and the Pacific Northwest-based Community Health Information Technology Alliance (CHITA) which is a program of the Foundation for Health Care Quality in Seattle. Each organization will lead regional efforts to test secure technologies and understand the business and social implications for the health industry.

"In essence, sending e-mails across today's Internet is like having an old fashioned party-line for your home telephone," said Elizabeth Ward, chief executive officer of the Foundation for Health Care Quality. "No one wants their e-mail -- especially when it pertains to highly personal or confidential medical matters to be exposed or accessible. And, secure e-mail is just one area where e-business can respond to the growing demands for proper use of technology in the health industry."

The HealthKey program participants will explore solutions for a variety of healthcare business-to-business problems. One solution being considered by the participants is Public Key Infrastructure (PKI). PKI can increase confidence in electronic information systems by combining the issuance of digital certificates (to confirm the identity of individuals and organizations) with the encryption of electronic messages to protect personally identifiable information during transmission.

A major focus of the program is to share knowledge and lessons learned. Through these efforts, many organizations and communities across the country will be able to accelerate development of more efficient ways to protect and share health information. The program will develop a web site, www.healthkey.org, as one means to disseminate work products and solicit broad feedback.

"This multi-state effort will aggressively pursue technology demonstrations of secure and confidential transmission of health data," said the HealthKey Program Coordinator, Laura Ripp. "Our collaborative work will focus on making the best use of secure Internet technologies and facilitating health organizations -- from insurers and hospitals to state agencies -- to satisfy business needs using available technology and national standards. Our work will stress that individual privacy protections, ease of use, reliability, affordability and interoperability are critical to widespread adoption."

"Activities in five states related to health privacy and secure transmission of patient data will get a boost from this cross-state collaboration," said Ward. "By building community consensus, these five organizations can provide leadership in health technology that is greatly needed."

The grant will be administered by the Seattle-based Foundation for Health Care Quality, a 10-year-old non-profit organization that focuses its programs in three areas: consumer health issues, quality measurement and electronic commerce. 

     About the Robert Wood Johnson Foundation

The Robert Wood Johnson Foundation is the nation's largest philanthropy devoted exclusively to health and healthcare. It concentrates its grantmaking in three goal areas: to assure that all Americans have access to basic health care at reasonable cost; to improve care and support for people with chronic health conditions; and to reduce the personal, social and economic harm caused by substance abuse. Since 1972, The Robert Wood Johnson Foundation has made more than $2 billion in grants. 

     About the Massachusetts Data Consortium

The Massachusetts Health Data Consortium was founded in 1978 by the state's major public and private healthcare organizations to serve as a neutral agency to collect, analyze and disseminate health care information. In 1995, Elliot M. Stone, the Consortium's CEO, helped found the Affiliated Health Information Networks of New England project, a collaborative effort currently consisting of the chief information officers of 26 healthcare organizations and 8 information technology companies/consultants. The mission of the Affiliated Networks is "to improve the state's health care information infrastructure by fostering the growth of a variety of health information networks, building on systems already in place, while encouraging collaboration and standardization among these networks." The CIO Forum of the Affiliated Networks has agreed to cooperate on four projects: secure messaging, provider databases, standardized enrollment transactions, and standards for physician desktop computers. 

     About the Minnesota Health Data Institute

"The Internet has become one of the more powerful information and communication resources in the world today, and we need to make it secure and reliable enough to support the exchange of health information," said Walter Suarez, MD, Executive Director of the Minnesota Health Data Institute. "We are very pleased with the opportunity to participate in this grant and partner with the other four states in advancing the use of health care electronic commerce in our nation." The Institute is a non-profit public-private partnership established in 1993 by the Minnesota Legislature to support the information needs of consumers, purchasers, providers, plans and other stakeholders in measuring and improving the quality and efficiency of health care services in Minnesota. One of its programs is the Minnesota Center for Healthcare Electronic Commerce (MCHEC), the first independent education and resource center dedicate exclusively to promoting the use of electronic commerce within the health care industry.

About the North Carolina Healthcare Information and 

     Communications Alliance, Inc.

The North Carolina Healthcare Information and Communications Alliance, Inc. (NCHICA) is a nonprofit consortium of over 140 health care providers, health plans, professional associations, government agencies, health research and pharmaceutical companies, and vendors who collaborate to plan and implement standards-based technology to improve health care in the region. Formed in 1994 by Executive Order of Governor James B. Hunt, Jr. and under the leadership of executive director Holt Anderson, NCHICA has been very active in the development of model privacy legislation, secure Internet technologies and clinical applications that require the innovative application of technology and communications. 

     About the Utah Health Information Network

Under the leadership of executive director Bart Killian, the Utah Health Information Network will be using an Internet based product with digital signature in accordance with the Utah State Law on Digital Signature to secure the privacy of both patients and providers. Funding from The Robert Wood Johnson Foundation will work to support this vital application of encryption and authentication for the transmission of electronic health care information in Utah.

About the Community Health Information Technology Alliance

Based in the Pacific Northwest, CHITA is the Community Health Information Technology Alliance. Part of the non-profit Foundation for Health Care Quality, CHITA's purpose is to improve the effectiveness of the health system by expanding the use of electronic business in a manner that will serve and protect the consumers of health care and the members of CHITA. CHITA was founded in 1997 and membership includes hospitals and health care provider organizations, insurance companies and state agencies. Funding from the HealthKey project will be used to pilot security models among CHITA's members and coordinate CHITA's privacy initiatives with real world business objectives.

For more information on the participating organizations, contact:

Joe Miller Project Manager Massachusetts Health Data Consortium Bus: 781/768-2501 Bus Fax: 781/768-2510 E-mail: joemiller@mail.com Web site: http://www.mahealthdata.org

Peter Summerville Director CHITA (Pacific Northwest) 206/224-3950 Fax: 206/682-3739 E-mail: peterb5@chita.org Web site: http://www.chita.org

Jim Brooking Project Manager North Carolina Healthcare Information & Communications Alliance 919/558-9258, ext. 26 Fax: 919/558-2198 E-mail: jim@nchica.org Web site: http://www.nchica.org

John Fraser Director of Information Systems Minnesota Health Data Institute Bus: 612/917-6715 Bus Fax: 612/917-6720 E-mail: john.fraser@mhdi.org Web site: http://www.mhdi.org

Jan Root, PhD Standards Manager Utah Health Information Network 801/466-7705, ext 202 Fax: 801/466-7169 E-mail: janroot@uhin.com Web site: http://www.uhin.com

Copyright (C) 2000 Business Wire. All rights reserved.

Distributed via COMTEX.

 

 
CONTACT: Imagio Health Technology
Sara Garrettson, 206/625-0252
WEB PAGE: http://www.businesswire.com
GEOGRAPHY: MASSACHUSETTS MINNESOTA NORTH CAROLINA UTAH WASHINGTON
INDUSTRY CODE: COMPUTERS/ELECTRONICS
E-COMMERCE
INTERNET
MEDICAL
Today's News On The Net - Business Wire's full file on the Internet with Hyperlinks to your home page.

Copyright © 2000, Business Wire, all rights reserved.

You may now print or save this document.
Money Back Guarantee   If you buy an article and you are not satisfied with it, let us know and we will refund your money - no questions asked. Please press the "Money Back Guarantee" link for additional information about this policy.
Portions of above Copyright © 1997-2000, Northern Light Technology Inc. All rights reserved.
Return to ResultsNew Search
--------------B951E1BB634170E2E57B212D-- From owner-med-privacy@venice.essential.org Tue Jan 11 13:05:30 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id CFA5421B97 for ; Tue, 11 Jan 2000 13:05:29 -0500 (EST) Received: from ix.netcom.com (stl-wa36-33.ix.netcom.com [207.220.42.161]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA09230 for ; Tue, 11 Jan 2000 13:05:09 -0500 (EST) Message-ID: <387B7226.F4082FE6@ix.netcom.com> Date: Tue, 11 Jan 2000 10:10:49 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] med-privacy in Database Nation Database Nation: The Death of Privacy in the 21st Century Simson Garfinkel O'Reilly and Associates January 2000 "Database Nation by Simson Garfinkel is a graphic and blistering indictment of the burgeoning technologies used by business, government, and others to invade the self -- yourselves -- and restrict both your freedom to participate in power and your freedom from abuses of power. The right of privacy is a constitutionally protected right, and its erosion or destruction undermines democratic society as it generate, in one circumstance after another, a new kind of serfdom. This book is one that you're entitled to take very personally." Ralph Nader [The first half of] Chapter 6: To Know Your Future Note: This is a beta-chapter. It may contain errors such as broken links, missing images, empty tables, and incomplete code. Did you have an abortion when you were fifteen? A few years ago, when your marriage was going through an especially rough spot, our records indicate that you were treated for a sexually transmitted disease that your wife didn't have. Does she know? Is that lonely child with Down Syndrome in the state hospital yours? Why don't you visit her more often? I told Janice about the headaches you've been having at work. She said that when you guys were kids, your father used to smash your head against the wall. Do you think you might have brain damage? Did you know that you are adopted? Most Americans consider their medical records to be the most sensitive pieces of personal information that they have. Medical records are beacons into our past. They reveal secrets about families. They strip us naked, as if we had been prepped for surgery. They remind us about things we would rather forget -- and things that we don't want others ever to discover. Medical records are also windows into our future. They are imperfect oracles, to be sure -- a healthy person walking across the street can be hit by a truck -- but many illnesses and medical conditions follow a predictable path. People with untreated blockage of their coronary arteries tend to have heart attacks; diabetics who can't control their blood sugar are apt to go blind; people with untreated chronic depression are inclined to attempt suicide. Genetic records can be even more revealing. But medical records tell as much about the temporarily healthy as they do about the chronically ill. In a world of uncertainties, the precision that comes from knowing a healthy person's weight, blood pressure, and cholesterol level conveys a feeling of predictability. A doctor can't say for sure that you'll live to be 92, but a statistician can tell you that your odds of doing so are 35%. Insurance companies use this information to set rates. Businesses can use this information to help decide who they should train and promote for positions of responsibility. No Bigger Gap Medical records are also among the most difficult kinds of personal information to protect. While the actual paper or electronic files can be protected with locks or passwords, individual facts from those records are easily revealed out of malice, for profit, or even by accident. Consider the case of a young woman in Poughkeepsie, New York, who was in an automobile accident with her fiance in 1982. The pair was taken to the Vassar Brothers Hospital -- where the woman had secretly given birth the year before. When the woman checked in, an attendant pulled up her records from the hospital's computer. "Oh, you had a baby a year ago," the attendant said, in the presence of both the woman and her fiance. It was an understandable slip, but it revealed a world of personal information. A far more malicious privacy invasion befell U.S. Representative Nydia Velazquez that same year. Three weeks after Velazquez won New York's Democratic primary, she received a telephone call from Pete Hamill, a reporter at the New York Post. Velazquez testified before the Senate Judiciary Committee in 1994: He told me that the night before, the Post had received an anonymous fax of my records from St. Claire Hospital. The records showed that I had been admitted to the hospital a year ago, seeking medical assistance for a suicide attempt. He told me that other newspapers across the city had received the same information and the New York Post was going to run a front-page story the next day. My records were leaked for one purpose only, to destroy my candidacy for the U.S. House of Representatives by discrediting me in the eyes of my constituents. Very few people knew about my situation, and I made a decision of not sharing it with my family. I wanted them to always remember me as a fighter, happy and strong. My father and mother, 80 years old, they did not understand. They still do not understand. When I found out this information was being published in the newspaper and that I had no power to stop it, I felt violated. I trusted the system, and it failed me. What's even more disturbing is that, in all likelihood, no laws were violated when Velazquez's records were faxed. A doctor can be disciplined or lose his or her license for violating patient confidentiality. Hospitals are required under the state's hospital regulations to have a medical records department that "ensure[s] the confidentiality of patient records" -- and a hospital can lose its accreditation if there is a pattern of confidentiality violations, says Donald Moy, General Council of the New York State Medical Society. But no state or local law has criminalized the unauthorized release of medical records themselves. A secretary or a janitor who walks into the hospital's records room and faxes out the records might be violating the hospital's rules, but they wouldn't be committing a criminal act. "Most people think it's illegal to release medical records. They are unaware that no law exists," says Robert Ellis Smith, publisher of The Privacy Journal. "What they might mean is that release would subject a physician to ethical sanctions or that the victim could sue for an invasion of privacy. You should ask folks who make that assertion [that medical records are protected] to cite the law. In my experience, in no other area of privacy is there a bigger gap between what people's expectation of protection is and what the reality is than in medical records." As of 1995, 43 U.S. states lacked laws criminalizing the release of medical records. Likewise, there is no federal law criminalizing the improper release of medical records. Such laws are clearly needed, because unauthorized releases are very widespread. According to the 1993 Health Information Privacy Survey by Louis Harris and Associates and Alan Westin, "27% of respondents (representing 50 million adults) report their belief that an organization or person having their personal medical information has disclosed it improperly". Thirty-one percent of these respondents (representing 8% of the total population and 14 million Americans) go on to report that they were harmed or embarrassed by that disclosure". The study also found that the people most likely to believe that there is a serious problem with medical privacy today are the people on the front lines -- doctors and nurses. "Most patients would be surprised at the number of organizations that receive information about their health record: their provider, insurer, pharmacist, state public health organizations -- perhaps even their employer, life insurance company, or marketing firms," says Paul D. Clayton, who chaired the National Research Council's Committee on Healthcare Privacy and Security. "Sharing of information within the healthcare industry is largely unregulated and represents a significant concern to privacy advocates and patients alike because it often occurs without a patient's consent or knowledge." Despite the revelation of her suicide attempt, Velazquez managed to win her election. But Tommy Robinson wasn't so lucky. In 1990, Congressman Robinson was the Republican candidate for Governor of Arkansas, running against Bill Clinton. An insurer leaked to the press that Robinson had problems with alcohol. As it turned out, the diagnosis was in error. Nevertheless, Robinson's loss was attributed in part to the revelation. It's a revelation that might have had profound national consequences, since Bill Clinton was able to use the governorship that he won in that election to launch a successful campaign for the U.S. Presidency. As hard as it is to protect medical records in doctors' offices and in hospitals, the task pales when viewed in the broader context. There is an ever-increasing proliferation of other kinds of personalized medical information in our society -- information that, if revealed, can be just as damaging as a doctor's diagnosis. Billing records are mailed to insurance companies and other third-party payers. Test results and detailed paper bills are sent to patients. Pharmacies know patients' prescription drugs. When a person buys an over-the-counter drug, the supermarket tape register becomes a kind of medical record. Likewise, there is an increasing assortment of home test kits for blood sugar, ovulation, pregnancy, and drug use. And a new generation of genetic tests is swiftly gaining in popularity -- tests that in many cases can be performed without a person's knowledge or permission. This information is being used, among other things, for marketing. Metromail reportedly has a medical database, called Patient Select, with 15 million names. "For about thirty cents per name, large drug companies can pitch their products directly to angina sufferers, diabetics, or arthritics," reports Amitai Etzioni, citing an article that appeared in Consumer Reports. In February 1998, the Washington Post revealed that two large drugstore chains, CVS and Giant Foods Pharmacy, were selling prescription drug sales records to Elensys, a Woburn, Massachusetts, marketing and fulfillment. The companies said that they were only using Elensys to send out mailings that reminded customers to get their prescriptions refilled. But the Post story revealed that the profiles were also being used for targeted marketing -- and were being shared with other drug manufacturers. Giant Foods immediately said that they would curtail the practice, but CVS refused, at least at first, although it finally gave in to a torrent of consumer complaints. One month later, John Weld, Jr., a resident of South Dennis, Massachusetts, filed a class-action lawsuit against CVS, Elensys, and Glaxo-Wellcome, claiming that his private medical information had been breached and improperly traded. The Medical Records Fairy Tale >From the outside, Daniel looked as if he was certainly vice-president material. In his seven years with the company, he had relocated twice, revamped a division, and become a senior director. But then, one evening, Daniel's boss discovered a prescription bottle inside Daniel's medicine cabinet when she was over for dinner (she had been looking for an aspirin). A few telephone calls revealed that the drug was used for controlling hypertension -- and that Daniel had a 15-year history of high blood pressure. The company's doctor said that people with Daniel's condition usually die within five to thirty years -- but every case is different. So when Daniel's annual review came up, he got a hefty raise but not a promotion. After all, why give the guy more stress? And why groom a person to be one of the company's top executives when he might not be around in ten years? Once upon a time, medical records had a very specific purpose: they provided a detailed record of a person's encounters with the medical establishment so that future encounters might have a higher chance of having a positive outcome. People had a vested interest in making sure that their medical records were correct. Today, medical records have an expanded role -- a role that doesn't involve primary healthcare. They are used by employers and insurance companies to decide who should be hired and insured. They are used by hospitals and religious organizations to solicit donations. Even marketers are buying up medical records in search of sales leads. Whereas people once had an incentive to make sure that their medical records were complete, accurate, and up to date, nowadays many people feel pressured to compartmentalize their medical records so that, when they are inevitably disclosed, the damage will be minimized. Medical records were once seen as sacrosanct. Today, medical records are routinely sought and used in lawsuits to discredit witnesses, especially in cases of rape. Politicians and criminals alike have their medical records reported in the media without their permission. Ironically, the rapid proliferation of medical knowledge to the lay public is making the release of personal medical information all the more damaging. Medicine is a complex, largely ad hoc science, with many rules but many more individual exceptions. In untrained hands, a person's medical history or profile frequently becomes a tool to justify prejudice or an already decided outcome. The confidentiality of psychological records is particularly under attack, says Dr. Denise Nagel, executive director of the National Coalition for Patient Rights. Lawyers, HMOs, life insurance companies, and others are routinely demanding access to psychological records -- and in so doing, they are jeopardizing the nation's entire mental health system. "A person's willingness to share sensitive, often embarrassing information is dependent on being assured confidentiality. It is the basis of trust in the relationship," says Nagel. Recovery from many kinds of mental trauma and diseases requires that the issues discussed during therapy remain secret. The U.S. Supreme Court reached the same conclusion in the 1995 case Jaffe v. Redmond. Nagel notes, when the court ruled that conversations between a patient and a licensed social worker or therapist, even one who does not have a medical license, are nevertheless protected conversations about which testimony cannot be compelled unless the judicial need for disclosure clearly outweighs the patient's privacy interests. "Quality healthcare is rooted in the imperative need for confidence and trust," and that trust must not be lightly breached, the court concluded. Nevertheless, these same records are often sought by lawyers of alleged rapists. The attorneys then typically threaten to take the records into open court, in an attempt to disprove the credibility of their client's accusers, unless the victim drops the charges. Such behavior by a defense attorney might itself seem criminal, or at least unethical, but it is standard practice in many rape trials. For example, a rape victim might have frequently fantasized about being raped when she was young; she now finds herself profoundly disturbed and unable to come to terms with the fact that the crime has finally happened to her for real. The victim might go through months of therapy to come to terms with this realization, only to be forced to listen in court to a defense attorney's theory that the woman might somehow have encouraged her attacker and been a willing participant. Parents, meanwhile, are increasingly demanding to have access to the psychological records of people who come into contact with their children. In West Virginia, parents demanded to see the medical records of a school bus driver who had made strange remarks while driving children. The school superintendent investigated and said the man was on medication and his condition posed no harm to the children. But the parents sued, and in 1986, the state's supreme court sided with the parents, saying that they were entitled to see the driver's complete medical file -- including his psychological records. Privacy Is Your Doctor's Responsibility A placard on the wall of my local hospital says "Please Respect Patient Confidentiality". And in a very important way, this sign says it all. Hospitals and other medical facilities need to rely on the ability of their employees to hold patient secrets. Doctors, nurses, clerks, and even janitors all see highly charged information. A hospital that tried to shield its employees from all sensitive patient information would quickly cease to function. Fortunately, in most cases, this trust seems well placed. I have never met a doctor or a healthcare professional who did not seriously undertake their responsibility for patient confidentiality. Patient privacy is at the very core of the healthcare profession. It goes all the way back to Ancient Greece and the Hippocratic Oath, which says, in part: "All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal." What complicates the confidentiality process is the fact that between 50 and 75 people need access to a patient's chart during a typical hospital visit. Keeping a secret requires everybody's cooperation: revealing it requires just one bad apple. Many hospitals hire temporary administrative workers who have little or no training in medical ethics. Other healthcare facilities are actively downsizing, creating employees who have a grudge against their employer. As the cases of Nydia Velazquez and Tommy Robinson demonstrate, it is all too easy for a careless and motivated insider to shatter the wall of medical privacy. Over the past 50 years, military intelligence agencies and major corporations have developed techniques for preventing the theft of confidential information and for tracing the sources of leaks. People are given personalized copies of records. Photocopies are logged. People have their bags searched upon entering or leaving a secure facility. These techniques are simply impossible to implement in the healthcare workplace. And for the most part, they are unnecessary. But leaks do happen -- and not just to people running for elected office. Since the outbreak of the AIDS epidemic, there has been case after case of people who have lost insurance or their jobs when it was revealed that they were infected with the HIV virus. In 1989, the FBI canceled the contract of a physician who had performed preemployment and annual physical exams for the Bureau in San Francisco when it learned that the physician had AIDS. In Salt Lake City in the early 1990s, a vitamin manufacturer fired Kim Allred when he tested positive for a marijuana derivative found in the prescription drug Marinol; when the company learned that he was taking the drug for AIDS, it refused to rehire him. At the Princeton Medical Center in 1987, a practicing surgeon named Dr. William Behringer was treated at his own facility and was diagnosed as suffering from AIDS. "Within hours of his discharge, he received many calls from well-wishers who evidently had learned of his condition. Most of the callers were his colleagues at the Medical Center. After that, patients called. Soon his surgical privileges were suspended by the hospital. A court found the breach of confidentiality the fault of the hospital," read an account in War Stories Volume II, published by the Privacy Journal. These stories show another side of the medical information privacy dilemma as well. You don't need to photocopy somebody's medical chart in order to destroy their medical privacy -- all you need is to leak a single declarative sentence like "Nydia Velazquez attempted suicide" or "Dr. William Behringer has AIDS". Indeed, as demonstrated by the Tommy Robinson case, the statement doesn't even have to be true -- just believable. When I started dating my wife in 1993, we went together to get tested for AIDS at Boston City Hospital. The clinic was one of several in the city specifically set up to allow for anonymous testing. The nurse who took my blood had no idea who I was and never asked for any identification. She gave me a control number when I left so I could learn the results. But when my wife and I returned a week later, a woman who was volunteering at the clinic recognized me from a class we had taken together at MIT. Should that volunteer have been legally prohibited from telling people that she had seen me at the clinic? What about other people who happened to be in the waiting room who might have recognized me? The problem here is one of segregation. The goal of anonymous AIDS testing is to allow individuals to be tested without the creation of a record. But by creating a special place for the anonymous delivery of a particular medical service, the privacy of the individuals becomes dependent on their continued anonymity. If there were multiple medical services delivered anonymously at the clinic, then merely recognizing a person at the clinic's doors would not compromise that person's ultimate medical privacy. Rape crisis centers and abortion clinics ("women's clinics") present similar problems. One solution would be the reintegration of these services into mainstream medical practices. Some people take the reverse point of view. They think that the best way to handle the morass of medical privacy is simply to eradicate it: unlock the files and the databanks, and make everybody's medical records freely available. David Brin, author of the Transparent Society, is a big proponent of this viewpoint. I actually believed it once myself; transparency has a simple elegance. I figured that everybody has some sort of medical condition or problem: the best way to destigmatize our diseases is to air them in public. The problem with opening everybody's medical records is that everybody has a different body. Some of those bodies are diabetic. Some have asthma. Some have inherited genetic diseases. Some have brains that are mildly schizophrenic, but controllable with medication. And some bodies are genuinely healthy. Opening up everybody's medical history to public scrutiny opens up people to all manner of discrimination and personal attack, for which there are seldom workable remedies. One of the purposes of privacy in society is to protect us from other social problems that we have not yet eradicated. Even if some futuristic and enlightened society manages to respect and value the sick in ways that we can't today, there is yet another overriding reason to abide by patient privacy. People who have managed to master their own physical or mental ailments deserve to go about their day-to-day lives without being constantly reminded of those problems by well-wishers. And as I mentioned earlier, the promise of confidentiality for psychological records is a fundamental need in order to have effective treatment for psychological diseases. People deserve and require control over their own medical matters and privacy for their medical records. Doctors and nurses understand this. But the healthcare establishment increasingly doesn't care. Privacy Is Not Your Insurance Company's Responsibility While my local hospital is busy reminding its employees to respect patient confidentiality, my health insurance company is busy reminding me that privacy is not compatible with its way of doing business. Like nearly all Americans, in order to have my insurance pay for a doctor's visit, I have to fill out a claim form. And at the bottom of the form is a little contract that washes away any quaint preconceptions of privacy that I might have. The contract is called a consent form. It says: I authorize any physician, hospital, or other medically related facility, insurance company, or other organization, institution or person, that has any records or knowledge of me, my dependents, or our health, to disclose, whenever requested to do so by CNA or its representatives, any and all such information. A photostatic copy of this authorization shall be considered as effective and valid as the original. I'm not a lawyer, but it doesn't take a lawyer to understand what this consent form means. As a precondition to having my insurance company reimburse me the $50 for the doctor's visit and the $14 for my antibiotics, I authorize everybody to divulge all of my records to anybody. This blanket authorization covers all records: school records, tax records, and bank records. It even covers those embarrassing love letters I wrote to my ninth-grade girlfriend. And it is an indefinite authorization, with no expiration date or time period. Some people think that consent forms such as this one are not enforceable. These people have a reasonable expectation that my insurance company might call up my doctor to get a diagnosis or additional proof that a particular service was rendered, but they doubt that an insurance company would go after all of those other files. After all, there is no legitimate business reason for them to do so. That's just plain common sense, isn't it? The problem with this common-sense approach to legal contracts is that it is often wrong. The authorization form means what it says it does. "Any records" means any records. "All information" really does leave nothing out. The blanket authorization allows the insurance company to go after any personal record it wants. "The reason that [the claim form] is worded that way is so that we can get the information that we would need" to detect fraud, says Roger Morris, a spokesperson for CNA insurance. "It's not our goal to accumulate information on individuals, but it is our goal to try to protect the interests of our policy holders". The overly broad release allows the insurance company to investigate cases of suspected fraud without fear of being sued for invasion of privacy. These corporate savings eventually translate to lower insurance premiums for everybody, says Morris. Of course, the savings also translate to higher corporate profits. Health insurers say further that there is no reason for us to worry about providing them with sensitive information. "The insurance industry has a pretty good record helping to maintain privacy. We are required and committed to following laws on the books," says Richard Coorsh, the spokesperson for the Health Insurance Association of America. The American public may feel otherwise. According to the 1993 Harris-Equifax survey on healthcare privacy issues, 15% of those who had their medical confidentiality violated -- representing 7.5 million people -- said that it had been violated by insurance companies. Another person who feels otherwise is George Washington University professor Amitai Etzioni, author of The Limits of Privacy. In his book, which is generally critical of privacy, Etzioni nevertheless affirms the importance of privacy for medical records. And the real threat to medical records privacy, writes Etzioni, isn't government: it's business. To try to understand the motivation behind the authorization form, I called up Albert H. Wohlers & Co., the Illinois-based company that administrated my insurance policy for CNA. I spent an hour working my way up through a chain of claims processors and supervisors, until I was finally transferred to the office of James Malik, whom I was assured would be happy to answer my questions. But when I got to Mr. Malik's office, I was informed by his assistant that I couldn't talk to him. I asked for his title; she wouldn't tell me. I asked for her name, and she wouldn't tell me that either. She said that if I had a question, I should submit it in writing. Then she hung up on me. The treatment that I got at the hands of Albert H. Wohlers & Co. is symptomatic of a deep-rooted problem with the U.S. healthcare industry. Healthcare is a weird confluence of money and medicine, and it's played by the rules of billion-dollar companies. No matter how strange or arbitrary those rules may seem, they are the rules. If you wish to get insurance, see your doctor, or have your hospital visits paid for, you will play by them. And since insurance companies save money when they lose customer claims, they actually have a financial incentive to offer poor customer service. All of this is true because the people paying the insurance company's bills are not those who are utilizing its services. We should also be fearful of the nonmedical uses that businesses make of medical records, warns Etzioni, who cites an unpublished 1996 study which found that "35 percent of the Fortune 500 companies acknowledged that they drew on personal health information in making employment decisions. One of the most common ways that employers get this information is from insurance companies or from self-insured health plans -- that is, plans that are administered by professional health insurance companies but paid for by the businesses themselves. (Such self-insurance plans are exceedingly popular because they give big businesses more flexibility under the law to violate their employees' rights.) One of the cases that Etzioni cites is that of a Southeastern Pennsylvania Transit Authority (SEPTA) employee who was taking AIDS medications. SEPTA learned of the medications when it was asked to reimburse their purchases, and the information was provided to the man's supervisor. By reading the authorization paragraph at the bottom of my health insurance claim form, I was doing something subversive. Many don't read the forms they sign during their day-to-day lives -- the forms are too depressing. These forms and the policies behind them create and reinforce feelings of powerlessness. They are the trappings of a system that's been gimmicked against the consumer. We do not have the choice either to negotiate or to strike our own deal. Our only choice is to submit. Nobody Knows the MIB As part of his Ph.D. thesis at the Harvard Business School on privacy policies in corporate America, Jeff Smith surveyed more than a thousand people on a variety of privacy issues, and conducted in-depth interviews with several dozen. One of the key questions he asked was whether people had ever heard of a company called the Medical Information Bureau (MIB). What he found wasn't terribly surprising: they hadn't. Only one consumer in the sample was aware of the existence of MIB, even though all but two of the consumers had applied for life insurance and had gone through an underwriting process. One can only conclude that the consumers had not read the insurance application forms very carefully, since the MIB notification was surely included. However, this lack of awareness may also point to some inadequacies in the notification procedure. I asked my wife if she knew what the Medical Information Bureau was. She said that she didn't. I then showed her a medical insurance application that she had filled out nearly two years before. It included these two paragraphs: I AUTHORIZE any physician, medical practitioner, hospital, clinic, other medical or medically-related facility, the Medical Information Bureau, Inc., (MIB, Inc.), consumer reporting agency, insurance or reinsuring company, or employer having certain information about me or my dependents to give John Alden Life Insurance Company or its legal representative any and all such information. The nature of the information authorized to be disclosed includes information about: (1) physical condition(s), (2) health history(ies), (3) avocations(s), (4) age(s), (5) occupation(s), and (6) personal characteristics. This authorization includes information about: (1) drugs, (2) alcoholism, (3) mental illness, or (4) communicable diseases. I UNDERSTAND the information obtained by use of the Authorization will be used by JOHN ALDEN LIFE INSURANCE COMPANY to determine eligibility for benefits. I ALSO AUTHORIZE JOHN ALDEN LIFE INSURANCE COMPANY to release any information obtained to reinsuring companies, Medical Information Bureau, Inc., or other persons or organizations performing business or legal services in connection with my application, claim, or as may be otherwise lawfully required, or as I may further authorize. "Is that your signature at the bottom of this form?" I asked her. Yes, it was. She then read the form again. Still, she had no real clue what the MIB was, other than that it was probably some kind of clearinghouse for medical information. In fact, what the Medical Information Bureau keeps in its computers is information about people. Specifically, every time you report a significant medical condition on an insurance application -- anything from heart problems to skin cancer -- the insurance company can report that condition to MIB. The next time you apply for insurance, your "new" insurance company will pull your MIB file and find out what you previously reported. In theory, MIB is supposed to prevent people who have significant medical conditions (and have been repeatedly rejected when they apply for insurance) from suddenly omitting their conditions from their applications and then getting health and life insurance with low-cost premiums that are reserved for healthy people. MIB helps "keep the cost of insurance down for insurance companies and for consumers by preventing losses that would occur due to fraud or omissions," says Neil Day, MIB's president. MIB isn't supposed to be a medical blacklist. Member insurers are officially forbidden from using the information contained in MIB's files as the basis for denying insurance. Instead, they are only allowed to use the information as the basis for further investigation. At least, those are the rules. MIB was organized in 1902 as a nonprofit trade organization; today, roughly 750 insurance companies belong. MIB's files don't contain medical records, test results, or X-rays. Instead, each person's file contains one or more codes that stand for a particular medical condition that has been reported for that person. There are codes that signify diabetes, heart problems, and drug abuse. Some codes are very detailed. For example, Jeff Smith found that MIB had five codes for AIDS: * AIDS-related complex or condition (ARC) or acquired immune deficiency syndrome (AIDS). * Unexplained history of thrush, other opportunistic infections, weight loss, generalized chronic swelling of lymph nodes, persistent fever, or diarrhea. * Abnormal T-cell study. * Abnormal blood test for which there is no specific code. * Two or more different types of antibody tests indicating exposure to the HTLV-III (AIDS) virus; this code is no longer used. Not all of the codes at the Medical Information Bureau are medical, Smith noted. For example, MIB has five codes that indicate a dangerous lifestyle, including "adverse driving records, hazardous sports, or aviation activity". These codes map to similar questions on most life insurance firms. MIB is thus the official insurance agency gossip columnist. MIB helps make sure that if one life insurance company rejects a person on medical grounds, then other life insurance companies will be made aware of the ailment and reject that person as well. MIB has been the subject of ongoing controversy since the 1970s, when its existence first became generally known. At the root of the controversy is the organization's penchant for secrecy. For many years, insurance agencies consulted MIB without telling applicants about the files. MIB was not mentioned in the few books on consumer issues and consumer privacy. MIB even had an unlisted phone number. Today, the secrecy continues, if to a lesser extent: MIB won't release the list of codes that it uses. Day explains: The whole point of a code list is to protect confidentiality. The MIB report is very brief. It is about a 2 * 2 piece of paper that has, on average, between two and three codes. The codes are generally three digits -- "321" -- sometimes there are additional letters -- it might be "321XYZ". A major point in protecting confidentiality is to have a code list which is used by authorized persons at insurance companies, but not to have that code list available to anyone else. Keeping secret the mapping between the actual code and the conditions that the codes stand for does protect privacy, to a certain extent. But no privacy is gained by keeping secret the list of coded conditions. Put it another way: is any patient confidentiality lost by my reporting that MIB has in its files the five AIDS-related codes printed above? By keeping secret not just the codes but also the English descriptions of what each code means, MIB has left itself open to the attack that its files contain more than just medical information. In the past, says Privacy Journal publisher Robert Smith, MIB had codes that stood for "sexual deviance" and "sloppy appearance". Day disagrees, but since MIB won't release the list of conditions for which it has created codes, there is really no way to know for sure. There have also been disagreements over the accuracy of MIB's files. The Fair Credit Reporting Act specifically exempts medical records, but MIB agreed to be voluntarily bound by the rules after a 1983 examination by the Federal Trade Commission. Since then, MIB has received roughly 15,000 requests by individuals each year, says Day. Between 250 and 300 patients per year argue with the contents of their report, he says. Overall, "97% of all consumers who received their MIB report [in 1996] found that their MIB record was accurate," reads a company pamphlet. But if you happen to be one of those 300 patients, you might find yourself without medical or life insurance. In 1990, the Massachusetts Public Interest Research Group (MASSPIRG) did a study on MIB and found numerous cases in which erroneous records in the company's files had prevented people from getting insurance. In one case, says Josh Kratka, a MASSPIRG attorney, a Massachusetts man told his insurance company that he had been an alcoholic but had managed to remain sober for several years and that he regularly attended Alcoholics Anonymous. The insurance company denied him coverage and forwarded a code to MIB: "alcohol abuse; dangerous to health". The next company the man applied to for insurance learned of the "alcohol abuse" through the information bureau and charged the man a 25% higher rate. In another case, a clerical error caused a woman's records at MIB to say that she carried the AIDS virus. "It was only after unusual intervention by the state regulatory board,'' because the woman worked for a physician, that the records were corrected, MASSPIRG discovered. MIB claims that if these people were rejected from getting insurance as a result of the MIB report, then the report was being used incorrectly. And the company stresses that MIB reports are based on insurance applications -- never on claims. But this protest rings hollow in light of insurance claim forms, which specifically give the insurance company the right to report claim information to MIB. "The MIB guidelines are clear, but only a series of independent audits of life/health insurance companies would yield a definitive answer regarding actual practices," says Jeff Smith. "To the best of my knowledge, no researcher outside the industry has conducted such a series of audits." Forcing Physicians to Lie Indeed, insurance companies obtain information from a variety of sources, including the Disability Insurance Record System (DIRS) and the Health Claims Index. And the fact that insurance companies are lawfully allowed to deny consumers health or life insurance because of preexisting conditions has put doctors under a tremendous amount of pressure. On the one hand, doctors clearly have a professional and legal requirement to keep accurate records on their patients and submit truthful billing statements. On the other hand, doctors know that if they are truthful in their diagnoses, they might be creating notations in their patients' healthcare records that will prevent the patient from getting insurance in the future. Even without a written diagnosis, much of what insurance companies want to learn can be gleaned automatically from billing codes. "Insurance companies collect tremendous amounts of information," says Dr. Peter Tarczy-Hornoch, who directs numerous telemedicine projects at the University of Washington Medical Center. The information is "not the really cool sexy information". Instead, it's things like "What medical diseases did your grandmother have? Have you ever been hospitalized with a drug or alcohol problem? Do you have a problem that is expensive to take care of that you have previously taken care of? They are not particularly concerned with accuracy. It's a screening process. Ninety percent is good enough for a lot of this stuff." Ninety percent is good enough for a medical insurance company to figure out if it should try to sell you life insurance, or if it should turn down your application. Ninety percent is good enough to decide how far to hike your or your company's insurance rates when it's time to renew. Ninety percent is good enough to systematically exclude the people most likely to need health insurance in the first place. And what if you happen to be one of the unlucky 10% who are denied insurance or face higher premiums even though there is really nothing wrong with you? Your best bet is to try another insurance company and hope that your erroneous information hasn't been forwarded to MIB. Faced with this dilemma, some doctors have chosen to lie. Instead of putting down a particular diagnosis or billing code, they use a code that has a similar reimbursement rate but lacks the social stigma and long-term insurance implications. For example, says Tarczy-Hornoch, a doctor might use the billing code for "adjustment disorder" instead of "depression." Medical professionals call these alternate diagnoses surrogates. The practice has questionable legality -- it is a kind of fraud, after all -- and there are no good statistics regarding its prevalence. But it is clear that surrogates create a kind of cat-and-mouse game between doctors and insurers, with insurance companies constantly trying to figure out what surrogates are currently in vogue, and with doctors trying to figure out new ones. What complicates the game is the fact that different doctors in different parts of the country use different surrogates, and that some people actually have the surrogate conditions, rather than the nastier conditions for which the surrogates stand. My wife and I discovered this particular side effect of surrogates in 1994, when Beth applied for health insurance. The insurance company gave Beth a form to have her therapist fill out. When the form was returned, the insurance application was denied. The reason Beth was denied, we later learned, was that Beth's therapist had told the insurance company that Beth had been seen and diagnosed with a case of "generalized anxiety". There was good reason for Beth's anxiety -- she had been seen just three weeks before we were getting married! But the problem was that other therapists in our area had taken to using "generalized anxiety" as a surrogate for a patient who has depression and is being treated with antidepressants. Understandably, the insurance company didn't want to take on a potentially expensive customer like my wife. After all, insurance companies only make money when they insure the healthy. In August 1996, President Clinton signed the Health Insurance Portability and Accountability Act. Under this law, U.S. health insurance companies are forbidden from excluding new employees from their employer's group health insurance packages because of preexisting conditions. But that is as far as the act goes. Insurance companies must offer coverage for preexisting conditions, but they can do it at astronomical rates. They can also choose not to renew an entire company's health insurance package because one person joined the company who had an expensive preexisting condition. This might not impact a company like IBM or Exxon, but it can be a major factor for small businesses. The act only covers employees who are changing from one employer's health insurance program to another -- it doesn't cover people who are self-employed, or those who have to buy their own health insurance because they work at companies that don't provide health insurance to their employees. Finally, the act says nothing about life insurance, which has a long history of using medical records in a discriminatory manner. After all, it's life insurance companies that created MIB in the first place. A Right to Your Self As we move into the twenty-first century, it is unthinkable that people would be denied access to their own medical records. Indeed, 96% of Americans believe that the right to be able to obtain a copy of their own medical record is important, and 84% believe it is "very important". Yet for many Americans, no such right exists. According to the Privacy Journal's Compilation of State and Federal Privacy Laws, only 23 states give patients the right to view their own medical histories (see the sidebar). Despite the laws, however, even residents of these states sometimes find that their doctors deny them access to copies of their records. How can you get around this conundrum? Lie. Advise your doctor that you're moving, and that your medical records should be copied and sent to a doctor in another state. Of course, instead of giving the name of just any doctor, give the name of an old college friend whom you've notified and who knows what to expect. In my experience, this piece of subterfuge has never failed to work. States That Grant Patients the Right To View Their Own Medical Records Arizona California Colorado Connecticut Florida Georgia Hawaii Illinois Indiana Kansas (mental records only) Louisiana (partial access) Maryland (partial access) Massachusetts Nevada New York Ohio (law applies only to hospitals) Oregon (law only encourages open access) Rhode Island Tennessee (law applies only to hospitals) Utah (records are provided to the patient's attorney, not the patient) Virginia Wisconsin According to the 1993 Harris-Equifax survey, most Americans (87%) believe that they "know everything" or "have a general idea, but don't know in detail" what's in their medical records. And approximately one in four Americans have asked to see the contents of their medical records. When they've asked to see it, 92% were able to get a copy. Of those who were denied this fundamental right, 31% were told that the medical record couldn't be located; 25%, representing four million Americans, were simply denied the request, with no reason given. Such problems are considerably worse overseas. In Germany, for example, individuals not only do not have a right to see their medical records, but there is also a tradition of hiding diagnoses of cancer and other stigmatized diseases from the sick and, in some cases, from family members. Germany is now creating a national cancer registry, and it is taking considerable pains to use sophisticated cryptographic algorithms to scramble the names of people who are entered into the system. But the purpose of the cryptography is not to protect people's identity or privacy. In fact, it's just the opposite: the cryptographic controls are designed to prevent a person diagnosed with cancer from accidentally discovering his own diagnosis. Denying people access to their own medical records is fundamentally wrong. Twenty-five years ago, the drafters of the Code of Fair Information Practices realized that there must be no records kept on a person that the person cannot inspect and correct. It is astonishing that, even in countries with progressive privacy protection, this practice continues. Ironically, increased access to a patient's own records is one of the benefits of the lack of medical records privacy today. With physicians so willing to send medical records to insurance companies and to other doctors, it's all but impossible to keep these records out of the hands of a determined patient. In fact, the combination of patient rights movements, increased health insurance portability, and the trend toward self-employment will all likely result in giving people increased access to their own medical records in the coming years. But exploiting the lack of confidentiality in medical records is a lousy way to assure patient rights. From owner-med-privacy@venice.essential.org Sat Jan 15 22:26:20 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from rothko.bestweb.net (rothko.bestweb.net [209.94.100.160]) by venice.essential.org (Postfix) with ESMTP id B7EE921B05; Sat, 15 Jan 2000 22:26:19 -0500 (EST) Received: from 216.179.3.226 (dialin-795-tnt.nyc.bestweb.net [216.179.4.33] (may be forged)) by rothko.bestweb.net (8.9.1a/8.9.0) with SMTP id WAA21386; Sat, 15 Jan 2000 22:26:11 -0500 (EST) From: siouxie@bestweb.net Message-ID: <388102B7.2B01@bestweb.net> Date: Sat, 15 Jan 2000 18:29:05 -0500 Reply-To: siouxie@bestweb.net Organization: home X-Mailer: Mozilla 3.01-C-MACOS8 (Macintosh; I; PPC) MIME-Version: 1.0 To: Med-privacy@venice.essential.org Cc: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Database Nation's Beta Chapter I certainly hope that in the final version of this book the author indicates to the reader from the beginning that he has the consent of his spouse to disclose the details about her that he discloses. If he does not have this consent, by my reading--and by his own thesis in this beta chapter--he has violated her privacy, and a reader like me is left with a huge question: does his wife know that the world is being told about her diagnosis of "adjustment disorder" or that she has gone to a Boston-area clinic for an AIDS/HIV test? From owner-med-privacy@venice.essential.org Sun Jan 16 06:57:18 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from finch-post-10.mail.demon.net (finch-post-10.mail.demon.net [194.217.242.38]) by venice.essential.org (Postfix) with ESMTP id 95E5C21B05 for ; Sun, 16 Jan 2000 06:57:15 -0500 (EST) Received: from dmed.demon.co.uk ([158.152.98.22]) by finch-post-10.mail.demon.net with smtp (Exim 2.12 #1) id 129oIw-000Nzw-0A for med-privacy@venice.essential.org; Sun, 16 Jan 2000 11:57:11 +0000 Message-ID: <3881A3D1.F84@dmed.demon.co.uk> Date: Sun, 16 Jan 2000 10:56:17 +0000 From: Peter Mitchell Reply-To: pete@dmed.demon.co.uk Organization: London, England Return-Receipt-To: receipts@dmed.demon.co.uk MIME-Version: 1.0 To: med-privacy@venice.essential.org Subject: Re: [Med-privacy] med-privacy: RWJ "HealthKey" program (release) References: <387F8CAD.891A0C03@ix.netcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter, could you avoid posting HTML documents to the med-priv mailing list? They are meant for web browsing not e-mail - many email clients can't handle them and they take up a lot of bandwidth - this one was 30k. Thanks. -- Pete Mitchell From owner-med-privacy@venice.essential.org Tue Jan 25 17:49:29 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 8F4E521AFF for ; Tue, 25 Jan 2000 17:49:29 -0500 (EST) Received: from ix.netcom.com (user-2ini9j9.dialup.mindspring.com [165.121.38.105]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id RAA05332 for ; Tue, 25 Jan 2000 17:49:25 -0500 (EST) Message-ID: <388E29F5.C5EA8E91@ix.netcom.com> Date: Tue, 25 Jan 2000 14:56:11 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] new WA State med-priv bill _______________________________________________ SENATE BILL 6684 _______________________________________________ State of Washington 56th Legislature 2000 Regular Session By Senators Thibaudeau, Kline, Roach and Kohl-Welles Read first time 01/24/2000. Referred to Committee on Health & Long-Term Care. AN ACT Relating to the privacy of medical records; amending RCW 70.02.020, 70.02.050, and 70.02.170; and prescribing penalties. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON: Sec. 1. RCW 70.02.020 and 1993 c 448 s 2 are each amended to read as follows: Except as authorized in RCW 70.02.050, (({- a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider -})) {+ no person +} may (({- not -})) disclose health care information about a patient to any other person without the patient's written authorization. A disclosure made under a patient's written authorization must conform to the authorization. Health care providers or facilities shall chart all disclosures(({- , except to third-party payors, -})) of health care information, such chartings to become part of the health care information. Sec. 2. RCW 70.02.050 and 1998 c 158 s 1 are each amended to read as follows: (1) A health care provider may disclose health care information about a patient without the patient's authorization to the extent a recipient needs to know the information, if the disclosure is: (a) To a person who the provider reasonably believes is providing health care to the patient; (b) To any other person who requires health care information for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the health care provider; or for assisting the health care provider in the delivery of health care and the health care provider reasonably believes that the person: (i) Will not use or disclose the health care information for any other purpose; and (ii) Will take appropriate steps to protect the health care information; (c) To any other health care provider reasonably believed to have previously provided health care to the patient, to the extent necessary to provide health care to the patient, unless the patient has instructed the health care provider in writing not to make the disclosure; (d) To any person if the health care provider reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual, however there is no obligation under this chapter on the part of the provider to so disclose; (e) Oral, and made to immediate family members of the patient, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed the health care provider in writing not to make the disclosure; (f) To a health care provider who is the successor in interest to the health care provider maintaining the health care information; (g) For use in a research project that an institutional review board has determined: (i) Is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure; (ii) Is impracticable without the use or disclosure of the health care information in individually identifiable form; (iii) Contains reasonable safeguards to protect the information from redisclosure; (iv) Contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and (v) Contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project; (h) To a person who obtains information for purposes of an audit, if that person agrees in writing to: (i) Remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and (ii) Not to disclose the information further, except to accomplish the audit or report unlawful or improper conduct involving fraud in payment for health care by a health care provider or patient, or other unlawful conduct by the health care provider; (i) To an official of a penal or other custodial institution in which the patient is detained; (j) To provide directory information, unless the patient has instructed the health care provider not to make the disclosure; (k) In the case of a hospital or health care provider to provide, in cases reported by fire, police, sheriff, or other public authority, name, (({- residence, -})) sex, age, occupation, (({- condition, diagnosis, -})) or extent and location of injuries as determined by a physician, and whether the patient was conscious when admitted. (2) A health care provider shall disclose health care information about a patient without the patient's authorization if the disclosure is: (a) To federal, state, or local public health authorities, to the extent the health care provider is required by law to report health care information(({- ; -})){+ , or +} when needed to determine compliance with state or federal licensure, certification or registration rules or laws(({- ; or when needed to protect the public health -})); (b) To federal, state, or local law enforcement authorities to the extent the health care provider is required by law; (c) To county coroners and medical examiners for the investigations of deaths {+ of patients whose health care information is disclosed +}; (d) Pursuant to compulsory process in accordance with RCW 70.02.060. (3) All state or local agencies obtaining patient health care information pursuant to this section shall adopt rules establishing their record acquisition, retention, and security policies that are consistent with this chapter. Sec. 3. RCW 70.02.170 and 1991 c 335 s 801 are each amended to read as follows: (1) A person who has complied with this chapter may maintain an action for the relief provided in this section against a (({- health care provider or facility -})) {+ person +} who has not complied with this chapter. (2) The court may order the (({- health care provider or other -})) {+ noncomplying +} person to comply with this chapter. Such relief may include{+ : (a) One thousand dollars, or +} actual damages, (({- but shall not include consequential or incidental damages. The court shall award - })) {+ whichever is greater, for each violation; (b) R +}easonable attorneys' fees and all other expenses reasonably incurred to the prevailing party{+ ; and (c) Such other relief, including an injunction, as the court may deem appropriate +}. (3) Any action under this chapter is barred unless the action is commenced within two years after the cause of action is discovered. (4) A violation of this chapter shall not be deemed a violation of the consumer protection act, chapter 19.86 RCW. {+ (5) Nothing in this chapter limits the right of a person to recover damages or other relief under any other applicable law. +} --- END --- From owner-med-privacy@venice.essential.org Wed Jan 26 00:14:19 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from alastair.tir.com (alastair.tir.com [216.40.128.69]) by venice.essential.org (Postfix) with ESMTP id D706C21AFF for ; Wed, 26 Jan 2000 00:14:18 -0500 (EST) Received: from lizard (port08.mico01.tir.com [216.40.136.9]) by alastair.tir.com (8.9.1/8.9.1) with SMTP id AAA19504 for ; Wed, 26 Jan 2000 00:14:16 -0500 (EST) Date: Wed, 26 Jan 2000 00:14:16 -0500 (EST) Message-Id: <200001260514.AAA19504@alastair.tir.com> X-Sender: downeast@mail.tir.com X-Mailer: Windows Eudora Version 1.4.4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: med-privacy@venice.essential.org From: downeast@tir.com (downeast) Subject: [Med-privacy] New WA State Med-Priv Bill Not being great at reading "legalese" doesn't this bill allow a hospital to provide the COMPLETE radiology report, including the findings/results, to an outside billing service? This is what one of our local hospitals does. I fail to see where it is necessary for an outside billing service to know the RESULTS/FINDINGS of a procedure - and I object to it. However, IF I want my insurance company to pay for the procedure I have to sign the hospital's Release of Information sheet. I make it a point to add "only as much information as needed for billing purposes" but don't know that that is adequate. Or that the hospital pays any attention to it. I also make it a point to request a copy of the Release that I sign that includes my stipulation. From owner-med-privacy@venice.essential.org Fri Jan 28 15:25:58 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 1E40321B05 for ; Fri, 28 Jan 2000 15:25:58 -0500 (EST) Received: from ix.netcom.com (user-2ini9ki.dialup.mindspring.com [165.121.38.146]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id PAA29302 for ; Fri, 28 Jan 2000 15:25:52 -0500 (EST) Message-ID: <3891FCDA.9CFC7087@ix.netcom.com> Date: Fri, 28 Jan 2000 12:32:38 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------98EA93B759C544216A502EC3" Subject: [Med-privacy] WA State "patient bill of rights" This is a multi-part message in MIME format. --------------98EA93B759C544216A502EC3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Health Daily from PersonalReader.com > Friday, January 28, 2000 > *************************************************************************** > > GETTING COLD FEET OVER PATIENT BILL OF RIGHTS > > A patient "bill of rights" is sailing through the Washington state > legislature with virtually no opposition. But the Seattle Times points out > that a few parties are beginning to get cold feet -- including government > officials. The measure calls for independent reviews of HMO treatment > decisions. It also would require that more information be handed over to > patients, and would allow patients to sue health organizations if they are > denied medically necessary treatments. One problem: Rates could surely go > up, and the government would have to foot a much bigger bill for its own > employees. > > http://www.seattletimes.com/news/local/html98/heal_20000127.html > > Copyright (c) 2000 PersonalReader.comA --------------98EA93B759C544216A502EC3 Content-Type: message/delivery-status; name="nsmail32" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="nsmail32" Reporting-MTA: dns; smtp10.atl.mindspring.net Received-From-MTA: DNS; user-2ini9ki.dialup.mindspring.com Arrival-Date: Fri, 28 Jan 2000 15:15:48 -0500 (EST) Final-Recipient: RFC822; med-privacy@venice.essential.rog Action: failed Status: 5.1.2 Remote-MTA: DNS; venice.essential.rog Last-Attempt-Date: Fri, 28 Jan 2000 15:15:55 -0500 (EST) --------------98EA93B759C544216A502EC3 Content-Type: message/rfc822; name="nsmail33" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="nsmail33" Return-Path: Received: from ix.netcom.com (user-2ini9ki.dialup.mindspring.com [165.121.38.146]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA08787; Fri, 28 Jan 2000 15:15:48 -0500 (EST) Message-ID: <3891FA7E.AB4D81EB@ix.netcom.com> Date: Fri, 28 Jan 2000 12:22:33 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.rog Subject: WA State "Patient Bill of Rights" Content-Type: multipart/mixed; boundary="------------A9946BF4DBDE5A311E819042" This is a multi-part message in MIME format. --------------A9946BF4DBDE5A311E819042 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Health Daily from PersonalReader.com Friday, January 28, 2000 *************************************************************************** GETTING COLD FEET OVER PATIENT BILL OF RIGHTS A patient "bill of rights" is sailing through the Washington state legislature with virtually no opposition. But the Seattle Times points out that a few parties are beginning to get cold feet -- including government officials. The measure calls for independent reviews of HMO treatment decisions. It also would require that more information be handed over to patients, and would allow patients to sue health organizations if they are denied medically necessary treatments. One problem: Rates could surely go up, and the government would have to foot a much bigger bill for its own employees. http://www.seattletimes.com/news/local/html98/heal_20000127.html Copyright (c) 2000 PersonalReader.com --------------A9946BF4DBDE5A311E819042 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="winmail.dat" eJ8+IjgRAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANAHAQAcAAkADwAAAAUAEQEB A5AGAPgPAAAnAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADADYAAAAAAB4AcAAB AAAAHgAAAEhlYWx0aCBEYWlseSBmcm9tIFBSOiAxLTI4LTAwAAAAAgFxAAEAAAAWAAAAAb9ps1Ws OqpJndUEEdO6lwBgCLHgWQAAAgEdDAEAAAAgAAAAU01UUDpNQVRBU1NBQFBFUlNPTkFMUkVBREVS LkNPTQALAAEOAAAAAEAABg4AghA1s2m/AQIBCg4BAAAAGAAAAAAAAADqH81QRp++Earaoi3pc+JV woAAAAsAHw4BAAAAAwAGEEmrNyADAAcQ5g0AAB4ACBABAAAAZQAAAEhFQUxUSERBSUxZRlJPTVBF UlNPTkFMUkVBREVSQ09NRlJJREFZLEpBTlVBUlkyOCwyMDAwKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioAAAAAAgEJEAEAAABnCwAAYwsAAAETAABMWkZ1m0h0 6gMACgByY3BnMTI1FjIA+Atgbg4QMDMzTwH3AqQD4wIAY2gKwHPwZXQwIAcTAoMAUBBm2HBycQ5Q EN99CoAIyGwgOwlvDjA1AoAKgXZJCJB3awuAZDQMYGNHAFALAwu1IEhlB0B0iGggRAtwbHkgA1K0 IFAEkHMCIAdAUhhQtQSBLgWgbQqiCoBGBRBAZGF5LCBKAHB18wrAGPAyOBtAAdAcMBqE+RHxICod Dx4fHy8gPyCkPxqEGWYH8BnzBCAKwGUgZG5vB+BhdhjBAaBs2yNAAiBsC4AjQGEFQAhhnyNQB9Ab QAdwErBvdgmAICBXZWIgAJB0Zcg6IHcmoC5wGXUJcJ0aBi4cZRx1EVBUbyYx8mcDoHVwGQAFsRhK G0A9BbF0KSErECmgCXBjZe5pFpAPICsAaAQAGQEJ4OkmMHViBPRpAiAbQBEg6RbwIHkk42EHgCMQ LdHcZS0AwAMRGgBkCXAEEVcrES8CKxA6LNViLuBo9xhTGxAY0UAm7yf+HO807wc1/zcPIS1NSURE TABFLVNDSE9PTIEGAE1PS0VSUxqEzkgpUBiQBPBobwbwJjDvBGAW0SwQLFFkI3ADoCnC8xiAI0Bm aREQBUAtUC5xDwuALfAYUBEQLiBCdccFQCZQABBxdW8mYCYwxyNRBUAw4GNhdREgLfLrDyAEkCAW 0GQjAwuQPsW9PUFhO7MpkTzCEPBiJlDZPjBBIBpRErBlMRAAgfMlwCsxdWQbMQWgJcAJcTcjECWA GOFiGPA8wldhnnMsQA8gKxADoFBvK0DFPrhNCsBjIEs/wARQ/wBwJVEW8A3gJLAHkRiAJLL/JIE9 sQ9AQIQsUTuGMjQY8PU9sW0bAGQkETsUG0Auos9JNSvAOuAFQGV4MdEHcd8CMCvyA/AYgULSQylQ EQH9G0BwBSAHkUxzPMEFwAEApxaQK7AEIGpvPbFjTwLfETBIokXgT2ArYHULYAXA9zuGJcAsQGMk ECMBBGAsAdUAkHgYgC0rEC1NIxiQ7wnAIsM+MDNlYwBBUlBCkMECQHA6Ly93RedSICcrQBpCVuBw LURAbi8HCsAtUFNiL0E0MjS4MDgtHCIbYRvgLk1Q/m0JUFW2AUBSUCNgJIAahIBUSEUgRkFUXAAA T0YgR0VORVRASUNBTExZEWBMsVxAUkVEXBA5sEQ4tds/0AVAYUMhQDB0G7EQ8D9D4lFATfI9AEeQ JZFvZvNI1F7QdHkx0CQwYLACEOcEcDvyEPFtZlZRMOApwZ0jQGIAcAMAO9J0PykA/yxCK7BfISJx PtAHkC1SPaK/PMJCwD7xEOAjYAkAZxjwfREgYysQBcAsUTzCLNFqv2axYYJe0DuAWJEHs1kFsP5r KQAHc09wK6ErARsRRVJeQRbwCXAH4EaAbAtgY45rPjBj8CNAXGxkAmD/PtRDYT+xLVIbohKwC4BR QI8LUFtwCyBsBiAtLUrB/wkAA/AsARmwLVIvswSQUFL/UUABAEuwGPBGUWdDcJFhgv9stW6iXvFr 4FUAETBDIUhgbz0AJdFlUgdAa0oBA6BN/wIhMlEDIAUQTUIjYULxBUD7K0BB0GVMUVPDUBQsMQ8g +09BZxVmSJFhgkBQJIBYsf9u4RjwBGFzdGHCKAZWHSaxHG55PWI+IFfieXIvtQRgLxsRLyUhWQB3 BbCVa+AvZcUtYcItZyfwk1o/W0hET07gQVIZUFc5oFzABfBQXaBTXLBUl0MBW/BdYUgYMEFagND0 RD8ahFM7MHLCK7BrIP9PYDswJIE/0jDgYyNzpD+w+xEQY9BJPqle0BDyGJA/Uf0tY2I+YyaQUfEH QBmQXsH/dNMlkVeRInFlVQhQCQEaAPcrIngyJBBnBAALYEQgCXD/G0AJcFIgACBnJAgAa1AY8P90 kF8RC3EHsj4hdJBCwCQR/QWgbkShiWBvlGVVhYEjE/0Q8HoLEQhgL7NbUj7HMRT/ZUQksQOBRUGD 0AiQQ+E8wf9fUYPQKaA/tAjhJGAAkG+x/xtAPeA9QTzRErAA0FixQoL/BCA/kQNwLLEpICvxVSAk cXcl4EjjC2B3AMB2MCLxd/9EsSuBCkBmwABwPUEpIGMw/2tQQlWG4gRgJcBMVJODFtDfayCXo2xi iTQ+ME8kgStg71IgJICZgSzQZ0BQK0CXpv5hnWAY4CvymFIpkY85fYD/csJfc5myJCE+YJghl6I7 QP96P3tHA2CMsQRgjRR9MlfTKYsJLzAOIDeDwjAuL0Xwfv9bV1ygVFzgTke3TuA5wF3BRVzQXGBW OjDLGVBcMEmBskJJXSBcYuBSSUdIVDpVQxAKsP8tUJ2ia9mOAQMgYKF1IxCw/24JSiIYwSv0A2Cd 8BiQRZ3/iq9OVBaQACAbkHkiI2CdQ/8mQS1hPjQ8wgZgJLChsCNA32lFUQGMIaGRYMZmB9EKsf+r 4SMEMOCLIGNUKxFzBHLRf7YwcxFusW2BCkBIYCwBZ/1Ekm5N4mGBYDEHMT4ha5L/B4BF4LGSeQIs YWbiFvCL4L8twZ2iCXAWkrVhYLBIOgD/KwAyUabQnaJwYpTTPjCF4P+IRKCECXA+0D0Qk2KSgmLy /wuAKcEAwGUDhLEQ8LyBTJH/RKErAqvFT0EuoqCEbuPDR/8rAwpQkbYFsE8QAwCQQI7V/2Cyk6Ej Irzhc5IHgEhisoP/K6EEEBuivic+IZ0SJZEkAfptJoBSSJNypLuCGOG5sL8pgZsXuaqgjGHBXrJt FzD/GJBCwJ4BBcCs87wztVI8UfvLAAtQbz3gfCGib3tWESBftFN7+H0zCQB5AS+mwjn2ONUQGFFf HCKmEn7fWzm6V1vwTikAgKA5UEGpoBtDAV2gTKnxgSBTSEn+UNfFQ5E78ofhPWMrESQQX1+CiKKL UW+iLEBwY9BD9wSQjTIY4XfaUwVAcwFSAfxoeQ3ReRMBoD/QQ9FMUf5jBaG5YysRXtAGYE2QijIz ZQMI4XVtZTMF4E5C5kMys2uDUSZDELYwsXTvneV0QkhgFpBksmE8slUg/nAY8QWxXtNtwUjUP7BB Gf8RIMsA2zND0k5jGFDPgVAT/5Uk5n/ni7WC6GhNEVAis5j/5NYD8K0S3TNpAsdBBuAYgf+2ehhQ QFEY4bZzbaFvgQ8g/xtAPMLh42mVsLM+IQZgCrH/eDIvgXCRbZC2xStAA2APIP3ewmQWkBEgxBEs QCQRyrX/IwTuUsKiPmBC8hEg8vUmUf5tTFEG4D5hZqFRgRjhGxD/ThNe0LmwYeEDUF/hCzA+x/8k YLRjAJCeMejx9FfzsQhh/+/xBCBzAU4TSOPb+rVzZVUfK2AJ8NHPe0f2IG5iY4nUKDM2WUAxNS5F 4P5w1x8oeDevBd8G7wf/IU/9GawnhoAYtBhFGeRKE51x/xmQRMJFYSainRAYRDK5CH//D+8Q/xIP CRsYQJPxCexVAfsjcCaARuVgVvBuANqzztG/+kNPtJSC7+Fk0SgLQzEQ/5oBtYIk4nbVK2BIcIaB h/FLJr8ysjooGkRBqnBZ7yaAawGzQRogOyn7OLWBIFscsBzxRY5RlsB5HaBF345wPRCOYE3iHaBX QxAf+f1bhVWBQB8U5IBIgS1hHaD9a5JXfZLXxV2wgTEfEyoE3SMna+Xg34Bbd1U6QB8T7kYuYCqR HaBJTgC54XMRbiZj4GYHq0RGquAfE1PvjKC2sGFAMwpUxZIwleAT/5LRYKOY8lUz+EA8koqAQ3D/ mtJAAuVwMiA9gfowlsAsCv+UscOy5eFF4MfhiSGEYeBBf67x27GsIVYVmFCOEMWAOlUrR0Aaz20D KSAX20f9cxFTaGLysduSaUI+MAnvHw5mGEX/sHyQTTMoYym+INXiN180UQPqqCN9DsACAD0AAAMA EBAAAAAAAwAREAAAAAALAAGACCAGAAAAAADAAAAAAAAARgAAAAADhQAAAAAAAAMAA4AIIAYAAAAA AMAAAAAAAABGAAAAABCFAAAAAAAAAwAHgAggBgAAAAAAwAAAAAAAAEYAAAAAUoUAAPATAAAeAAiA CCAGAAAAAADAAAAAAAAARgAAAABUhQAAAQAAAAQAAAA4LjUACwAMgAggBgAAAAAAwAAAAAAAAEYA AAAABoUAAAAAAAADAA2ACCAGAAAAAADAAAAAAAAARgAAAAABhQAAAAAAAAsAFoAIIAYAAAAAAMAA AAAAAABGAAAAAA6FAAAAAAAAAwAXgAggBgAAAAAAwAAAAAAAAEYAAAAAEYUAAAAAAAADABmACCAG AAAAAADAAAAAAAAARgAAAAAYhQAAAAAAAB4AKIAIIAYAAAAAAMAAAAAAAABGAAAAADaFAAABAAAA AQAAAAAAAAAeACmACCAGAAAAAADAAAAAAAAARgAAAAA3hQAAAQAAAAEAAAAAAAAAHgAqgAggBgAA AAAAwAAAAAAAAEYAAAAAOIUAAAEAAAABAAAAAAAAAAsAMoAIIAYAAAAAAMAAAAAAAABGAAAAAIKF AAABAAAACwA0gAsgBgAAAAAAwAAAAAAAAEYAAAAAAIgAAAAAAAALADaACyAGAAAAAADAAAAAAAAA RgAAAAAFiAAAAAAAAAIB+A8BAAAAEAAAAOofzVBGn74RqtqiLelz4lUCAfoPAQAAABAAAADqH81Q Rp++Earaoi3pc+JVAgH7DwEAAABzAAAAAAAAADihuxAF5RAaobsIACsqVsIAAFBTVFBSWC5ETEwA AAAAAAAAAE5JVEH5v7gBAKoAN9luAAAAQzpcV0lORE9XU1xBcHBsaWNhdGlvbiBEYXRhXE1pY3Jv c29mdFxPdXRsb29rXG91dGxvb2sucHN0AAADAP4PBQAAAAMADTT9NwAAAgF/AAEAAAAxAAAAMDAw MDAwMDBFQTFGQ0Q1MDQ2OUZCRTExQUFEQUEyMkRFOTczRTI1NTQ0MjUzMjAwAAAAABAU --------------A9946BF4DBDE5A311E819042-- --------------98EA93B759C544216A502EC3-- From owner-med-privacy@venice.essential.org Mon Jan 31 04:33:37 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from wisbech.cl.cam.ac.uk (mta1.cl.cam.ac.uk [128.232.0.15]) by venice.essential.org (Postfix) with ESMTP id 5C7FC21B02 for ; Mon, 31 Jan 2000 04:33:36 -0500 (EST) Received: from ouse.cl.cam.ac.uk ([128.232.1.87] helo=cl.cam.ac.uk ident=rja14) by wisbech.cl.cam.ac.uk with esmtp (Exim 3.092 #1) id 12FDDD-0004qI-00 for med-privacy@venice.essential.org; Mon, 31 Jan 2000 09:33:35 +0000 To: med-privacy@venice.essential.org Date: Mon, 31 Jan 2000 09:33:34 +0000 From: Ross Anderson Message-Id: Subject: [Med-privacy] Common criteria protection profiles - errors In October, I talked at NISSC about what would have to be done to the healthcare protection profiles in order to make them acceptable in Europe - and to learn from the European experience generally. A number of the points we picked up need fixing, even for use only in the USA. Lewis Lorton nagged me to write this up as a document, which I've finally done. You can get it from: http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/healthpp.pdf Hope list members find this helpful Ross Anderson From owner-med-privacy@venice.essential.org Tue Feb 1 12:58:33 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id DEA3F21B06 for ; Tue, 1 Feb 2000 12:58:32 -0500 (EST) Received: from ix.netcom.com (user-2ini8em.dialup.mindspring.com [165.121.33.214]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA15757; Tue, 1 Feb 2000 12:58:36 -0500 (EST) Message-ID: <3897205D.8CE7F54D@ix.netcom.com> Date: Tue, 01 Feb 2000 10:05:25 -0800 From: Peter Marshall Reply-To: The Up for Grabs Discussion List X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] user privacy at "medical" websites MEDICAL WEB SITES FAULTED ON PRIVACY Issue: Privacy A study by Georgetown University's Health Privacy Project has found that the 21 leading health web sites are not following through on their privacy policies. "Almost across the board, the privacy practices did not match the policies," said Janlori Goldman, a researcher for the report. The report found that through "cookies" (bits of code placed on a user's computer that helps a site identify the user on return visits) and banner advertisements, information is collected about users without them being aware of it. A number of the web sites reviewed gathered personally identifying data about visitors and then passed that data along to third parties, "in direct violation of stated privacy policies." Eight of the 21 sites have a business relationship with the Internet advertising company Doubleclick. "None of the sites that use ad networks disclosed whether they are doing profiling," the report said, "Nor did they explain what is happening with the data being collected by the ad networks." The report will be officially released today at the e-Health Ethics Summit in Washington DC, a gathering of major online health information providers. [SOURCE: Washington Post (E1), AUTHOR: John Schwartz] (http://washingtonpost.com/wp-srv/business/feed/a57644-2000feb1.htm) (c)Benton Foundation 2000 From owner-med-privacy@venice.essential.org Wed Feb 2 15:50:31 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 81DF321AFF for ; Wed, 2 Feb 2000 15:50:31 -0500 (EST) Received: from ix.netcom.com (user-2ini9f7.dialup.mindspring.com [165.121.37.231]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id PAA26627 for ; Wed, 2 Feb 2000 15:50:29 -0500 (EST) Message-ID: <38989A30.8EE74A84@ix.netcom.com> Date: Wed, 02 Feb 2000 12:57:22 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] M.D. v. HMO on records release http://www.ama-assn.org/sci-pubs/amnews/pick_00/gvsc0207.htm From owner-med-privacy@venice.essential.org Thu Feb 3 20:28:34 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb02.eng00.mindspring.net (fb02.eng00.mindspring.net [207.69.229.20]) by venice.essential.org (Postfix) with ESMTP id 6E7A321AFF for ; Thu, 3 Feb 2000 20:28:34 -0500 (EST) Received: from ix.netcom.com (user-2ini8up.dialup.mindspring.com [165.121.35.217]) by fb02.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id UAA11679 for ; Thu, 3 Feb 2000 20:28:31 -0500 (EST) Message-ID: <389A2CDD.681B21C0@ix.netcom.com> Date: Thu, 03 Feb 2000 17:35:28 -0800 From: Peter Marshall Reply-To: owner-action@lists.aclu.org X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Med-privacy] ACLU & comments on proposed rules DT: February 3, 2000 When the Clinton Administration proposed its regulations to protect medic= al = records privacy, the ACLU offered you, our online activists, an action to= ol = that allowed you to fax your comments about the proposal to the = Administration. Thousands of you took advantage of our offer and faxed = comments into the Department of Health and Human Services. Citing bureaucratic rules, HHS has rejected these faxes. It appears that for the Department of Health and Human Services, the word= = =ECcomments=EE means a bureaucratic and complicated procedure that is mea= nt to = discourage public participation. According to the rules they have set, = faxes and even snail mail letters -- unless they are sent in quadruplicat= e = -- will not be considered as formal "comments." = Incredibly, only after 2,400 of you faxed in your comments through the AC= LU = site did HHS notify us that it would not accept these faxes as =ECofficia= l = comments.=EE By insisting that individuals wade through a complex web-based system and= = by only informing the ACLU that they would not accept other electronic = comments after thousands had been sent, we believe the Administration has= = turned its back on the general public and opened itself largely to = insurance companies and other "inside-the-Beltway" lobbyists. In response, we are today launching a new feature where we've tried to ma= ke = it easier for you to submit formal comments to the agency. We have create= d = a special feature on our website with the HHS form directly embedded into= = the page, allowing users to make direct comments without the difficulty o= f = utilizing the HHS homepage. This ACLU feature also provides comment form= s = and additional information on three aspects of the regulations that need = to = be strengthened, in addition to providing tools for submitting comments o= n = other aspects of the regulations. There are only two more weeks until the comment period ends on February 1= 7, = and these regulations still need to be strengthened in the areas of = consent, law enforcement and the creation of a government database. You = can help push the Clinton Administration to listen to the privacy concern= s = of the American public by participating in the ACLU mini-campaign on the = proposed medical privacy regulations at: http://www.aclu.org/action/medregs From owner-med-privacy@venice.essential.org Fri Feb 4 13:46:22 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb02.eng00.mindspring.net (fb02.eng00.mindspring.net [207.69.229.20]) by venice.essential.org (Postfix) with ESMTP id 6F2E721AFF for ; Fri, 4 Feb 2000 13:46:21 -0500 (EST) Received: from ix.netcom.com (user-2ini8jd.dialup.mindspring.com [165.121.34.109]) by fb02.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA15840; Fri, 4 Feb 2000 13:46:14 -0500 (EST) Message-ID: <389B2017.B2FCEAF1@ix.netcom.com> Date: Fri, 04 Feb 2000 10:53:16 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------E5D3F010375C4C69547080BA" Subject: [Med-privacy] another on privacy at "health" sites This is a multi-part message in MIME format. --------------E5D3F010375C4C69547080BA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Society Reader from PersonalReader.com Friday, February 4, 2000 *************************************************************************** IF YOU CAN'T TRUST YOUR INTERNET HEALTH SITE, WHOM CAN YOU TRUST? Some well-known Internet health sites are breaking promises to keep personal information about visitors private, a new report says. At stake is not only unwanted e-mail and advertisements, says Digitmalmass.com, but also, potentially, the release of sensitive information to bosses and insurers. So, heads up. From Reuters via Boston.com. Copyright (c) 2000 PersonalReader.com --------------E5D3F010375C4C69547080BA Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="winmail.dat" eJ8+IjgRAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANAHAgAEAAkACAAAAAUA8wAB A5AGADwcAAAnAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADADYAAAAAAB4AcAAB AAAAHwAAAFNvY2lldHkgUmVhZGVyIGZyb20gUFI6IDItNC0wMAAAAgFxAAEAAAAWAAAAAb9vMoN/ GINQWtpGEdO6lwBgCLHgWQAAAgEdDAEAAAAgAAAAU01UUDpNQVRBU1NBQFBFUlNPTkFMUkVBREVS LkNPTQALAAEOAAAAAEAABg4A2J1jMm+/AQIBCg4BAAAAGAAAAAAAAADqH81QRp++Earaoi3pc+JV woAAAAsAHw4BAAAAAwAGEAfpr4cDAAcQOx4AAB4ACBABAAAAZQAAAFNPQ0lFVFlSRUFERVJGUk9N UEVSU09OQUxSRUFERVJDT01GUklEQVksRkVCUlVBUlk0LDIwMDAqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioAAAAAAgEJEAEAAACrFwAApxcAAM8mAABMWkZ14Cfr tgMACgByY3BnMTI1FjIA+Atgbg4QMDMzjwH3AqQD4wIAcHJxDlAIZmNoCsBzZXQwviAHEwKDAFAQ ZhFOfQqA2QjIIDsJbw4wNQKACoGSdgiQd2sLgGQ0DGCeYwBQCwMLtQYAb2MIkKR0eQfwZWEEgSAD UnQgUASQcwIgB0AYxC4tBaBtCqIKgEYFEGRhAHksIEZlYnJ1ewrAGKA0G2AB0BxQGqQq/xzvHf8f DyAfIIQapBmGGLVDBCAKwGUgbm8H4GG+dgtwC2ACYCMgAiBsC4D9IyBhBUAIYSMwB9AbYAdwSRDg b3YJgCBXG5AgQQCQdGU6IHcmgC5ucBmVCXAaJi4apBqkVMpvJhFnA6B1cBkgBbGMdGgjIBhGJiBW B0D/ClAEIBjEG2ApcijBK6ApQPEJcGNlaRaQDyApkQQApxkhCeAmEHViBPRpAiCnG2ARgBbwIHkk w2EHgHMi8C5hZS0AwAMRGOBkVwlwBBEroDon9WMAQXXvAyAvkjBhLWViL3AZsBhj/kAmzxqQMQAB QDFAI0AkYT8n6yCPNr83zzjfIStDTwBNSUMgR0VOSdBVU0VTGqRJMEEpsSZ3BbAlwCJnCfBpdfhz IiAyUCyCJZEbsBGA9yXAKaERgCAbMQQgBbERULkEIGh1A4EmMBigaj0QuQVAZ28CQAnwIvAgCQAd BUBzAMAAIASQPyBU7xFQBUAs4SmicSqxLeIpkzUHwlkFsGtBkAdzcG//EYAEIAuAQKElchhQJJAs YNsjIAcQdCLhLmFMLFAtYH0jEXAIkCxAKZEkkTJQZ3sLgAQgYhigI0At4CyRc+8LEQIgDeAHQGwY oEcCG2D+dymwJ0E/RQQgPfQowCVx3mQXMEbhPHArY2gtIjzU/0PyGQEsQAIwCHAbUSmhGKB/IwZL BCyCQLAFoCkwI/JmeT6Qb3pAgUziBGACMGj4LiBPK0EkkSPwPzAFQP9HAgAQQmBAUC1BSYFBwkDx zQngbQQgJEBrZRtgP/CeZEdxLKAZMymiaHkzAIUn5WgCQHA6Ly8RgOMKwBFALm55LeAHgRpijVYF LxswAxB5L2ILgFQvZlGBdxuQPzzQdDlIkGMrJiJZNA9ANzmAODIrMCt3QVqAxisacQ3gJTdFPNQn +gBQRVJTT05BTMEGAEhSRUREXHEapP5NANAs0CRgPBIkkSZACsH/CrAzAiuSWBBFsRFQRWEkYN89 wT1BQIEZsEQRcDFACsDvUNAHwArASQE4MWADECRA70LBWJAjERmwbCXAC2BAEf55ViFQ0EGjGnEK sQeRA/DPKaAkEhigD0AwLBxRYxShRIExOTkwUNBXUdv+ZgpQJEEsoiMgBuAZUUSB+QkAdy0FoEAR MwYmEEwB9y/wGZFBgFNNUEExBgADEO89wSvQPWEtUWc80CvQXlWPJjBSCAqxUwJsZi0lUYcJEQBw RtEtLSBJUgb/GWAZsAeANKJlA18VbmYFQPsJ8AhgZ2UwK6JqUm8CLzL/bcNCYylTQLARgAbQDwFG 0ftPsRGAYwhxGJFEggOgC4DXI5AAkAIgLU+wLRDgLGCvANBN4TzQUNBJQtRMRDD/EcAPIGgAB5EH Y1U8JoILYE1WqGI9EF4icy8cQjA5AdAzLxGgHFEPQDgxNDEuVaBtCVAoCUxBYlcF8EZPUgYAXMBF 0RtgVEhFEcBNXHA68ORBTiXQQVkoVQdxBdDZd1BheiRRUghQMUAmMFtQAAXAUAUQUAAtA/BufwMA LJF2EUKCgJBFQ0swb+0bYEQZwiXAQmHhEZAFQP0vMkou8QZBJkB4gU2RCHD9QtNpdBFAYkKkKMAp ogWhfxuwLdGC0w7wClBu0kcDc/8zABhgIlELgEFRbGNhUFZB/z8wcFVFIGSRKPIFoAIwMjG2dS3i RGNXPzBeEWcroPEuEUQuQ1DQdbRBMQ3gKyPxhyJ0I/BkG2AiSF8jUXfTJjCPcTsQdRigRzsRkAQg QxuwbtApsGQu/z0wQaAkcY7FAZBToCLhQMHmb0OgXpJheC8jQFBJobs9QCdBa1KBJZEDoG8tgf9G YUkBiiGHpFhQG6AN4E+iv5GAldEkkCWxI/BHcHN6QvcuAj8xQLB3G0BPohFAA2D7SLFoE2gjUQhQ DyAwEy8y/ymiEOAHkBsgTTE+kInBAQD5K5JleEBxJcCJpoxgGND/fOBNMV9jNKIRgZlDJjCCQf8G MV6SKbGc0DMAAIBPkwBw/5RUbxEpopRVPWMEYEARlyL3eR0KsCmgZhbhGkR8EAdxdi8AwICUL461 e3BlwDMIMjY2pqA4NDIyW2XRfM9GXRB+4FNcYEWkQ0hvMFNOUgZUEcDeTH+RfgGooVDQSjtgqgEk U0uFUE9If3BST+xDS1xwGqRCKPAvgAhgOymhJcBBj3BxkUCwQnIfYBEEII7wRDEFwEpvaPsDoAgA Y1OgPwRgs2FQAwD/akAlsSliiaGS4JoDLOFa4P8W8FDQrwRJcijAA4F3UUqz7U+wZi5SjoJ3Z+AD IEDS/0+xMwAr8CPxi1QDcJ4URIH2U26CBCBJSPBAAa3gl7H/SXFiYSYSJLEFQCzSXsEakOdnWIbA QBEyNEAwhXIbYP8yUE/RryElwGIwMwFNIk+i/yzSSGBhcU3hLmFgAyuhkYD/BIFAQC4yJiEsYRiR tyELgP9UIwWxCXBBIZTxRwNhUJwR/yNQA6ApYSxQKQAiw7zCA3D1RDF4G8BsIuFQgT2RlGP/saEF sJ9hulOLEcQQt8G1ovcEAS3xGQFCU/AGUSRALKD/G7CPgVDQxbRIYBsgrvae4u9AsEFRMjGPAniL sSPxLzL/G6Bx8pwRsDECIAWxQsEs0H9TUG4hG2C4dpsHuiJ3h0P3LNBFIL3BVIxyJGB5Lxpgf80U jGPN0VcDtnOlYVghd897cCYxVyBlwDEzfICmoAEOQDcxLTM3NTj4My000aABwKdfO9JSBrJMXNBU QawAfrFBqgAmR10Q1XFBUqoAVE+1OxBPG2BQfoCrQEUoVf9DD5LPKaIsInGhKaEBgKDD+ZFQZXoA cCRhi9GHMVQ2/QORRQ8gJEBqQDFgPfE/cPtkApaSY1GkKZMswQEQK8L/I/RJEszh2xUvMiPw2oEy UP9eESXAI5AKQCPTPHGU8UfB/xjAI0CGwi5hCADJ0GwOKbH/AMAYoGADEVCzwYmUpHCXAf8LIBkB K6GkcLfBctIpkgWw/0kUQeKAkL7kdUEJcG7QTeF/wqOKIxnQLeIiUWsi3rRh/+YB6lJIkF9joFEL YpRF2lP/umEtYBFAmLI0otwUhJBpcf9Cwd0UTZIkkTARMUCXskSBz5tTaXE9c9rCJDViRwlwv5kQ PJGMkSMxLBI9snlQ0P5Bt8HfIY+hKaIHZAlwtnP/TZGfok+xKZEIYEhgFvD2E//fE1Ah25X1MtCy l0Pzk4+SzwuAjvBT8CyCNDcsERjg31fRJUCb4uXx4cxER2A/ML0bYDW6AOJy42MvMjGnIO/iZAbQ reAW8HTN/1Z7JEB//lEb4KXypnF74RxQ90Qtf0Ex0z9dQNVwqTBcYFyxVMJZhCBPSU5HBfAEcP9v MNTQBHAEYDuWYnHiwV/i/5MQnDFhcSWxQLDpgLcxw4H/P3DKUpzQdTGMtDJQzTA98fdS4UQBmaAt DtCkQUzRGdH/GJFAQD3ByiIyUCRAYGFeVf8r0JehUggtobGhIlE/8kjA/y1BPsDRQUHiYQEtkUNA JbH/KTFstUHiI9C4Mj8xU4JJBf911CNAu4MzBLeUupHAUiuh8wnkmMNndTGRmTHN0Zpy/65xI5BF QxjAYVB0gEjBQJB+RyWQUNCREHQAPNAYsHl/joFH8T4TJJHRoIwim+Bt/yRgcyEtsCbxIsJgA2Cz c/D/vXErkhn4EecvMpXRSdElsf97IUbRBdfBAb4QDEJmUUWx8wnsZnM3N2QFLOE0ogdR/5tyGXRG 8kLUDDM/E93hwkH/SQETa0swLbBoNUhgLwEzAf8t8LHRkhLNDfVG/r/PD3rR/+4w0QHqJDxxY0Cl 9qaBpsHkOSx+YFYte7NZ4P2w8DQsRkYCb1yQfxDFoJmpIE9PXNAFEEJS1gDOSTuA1fF+4FBPqxBd IP46hCB/YDsgq9A7YNaQrABkRVBQ4FVU0+VPwEH/hYCW4Y6BFjRxwEsxmFNB4v+WsObg+AHWkO4i ScLvEpkh/7qRm1OkQVjglvEipE+xX8L/laCaQGYwU3EAssPBUNBd4P9WgDeoH9LGEK3g6pG8wXVQ /8QQYOE3U1/llrBI8GDUlrD/YJLhM95z2FTeNU3kSoF4kf9fY7cQU/CeI4phViNO41aB/z/TP2J0 ceiocbGVQSexUOB/jKBXsJeyaKGU8QalRvRK9fUAbWWAQ2shr0G8EupA/7fBm5fdc2WAm+APAchA NYT/iaBd8DShR3II4MDi9KPpgP+HYXSR+eLBdJjxKuJk87gy8EFJRFPGYXABNzZ20f1u0GlkoDrW nDSbNDi4Q5JzITOvcHJttDIiE/TAbL5wtDK8t65DmzPvkUUzN/5XheCTgCdmxWGf9ArA/SD/YEHR AOgi5EKYoe1Q7PNqYP9M0/qAhZF08qBx+eMGol4i/+2BN1o1UfnQW0C2BLLBZYD/DDNONKRxI4MK wGgiD4BCQO8n72pwD0BSUC4XMXwQpQGHyrAHkfPgY2ZtP5gw8WwwPTA13dHm4C0wfKDvArp+0NTQ 1oFZMMAEgMWgbE1PrAEw4Vd+0KigVt+sEF/yL5KsNDIneRqh+CD3ikFONEUldbOAP+OZEmjy+z+g F1Fu3VAI4GnQmKHtkf8VkD2xpHJCMu4xuDL2McER78mhDVBqgN9ALUuGD4Dm4P+TEG8RP8FKIOkR d0KTEHyg/4eCGIFvEfVUHPLpgLETdAH/kaGCgSTxlYDd4IgAcGOOUv9IofsQcKD2MU1zZUNmRRiy v+2wQrPfpooyuXF0AUTE4P8cwppyjGD0YMZha/XysPU2/wcBwJPClLFgyZA3Nj7WxmH/RTJmAoGx kJI+VCIi0bC7Sv9RMsbUPZPlUmviBwFtlUh0+25BQkBI+nAKgAogoFK2kv+7UOPRmzRWxZyTGLG1 sJbx/7cx7ORPg3tjGLEcAIZgODH/JiKIAKLU5eDoYFVAhwEGRP8KwO4xD4DWkNPxj3DfoYeg/zXg ZpELIW0W7HDRABSQiYH/gQHfQJ4TzHfXvCff/88A0mPqJqaAMTI4AaFr9C2bMyEtOVfeMxOxbz/W oP2bp0OZ8e8CvBKe8YKimaD/8RHgYfEArXHmlO4xgLe1kuc14OiQkwEkM9MBd7C/Qv/6cO3BvXOy 8XmkRNGXMpF5fyTS6DGhEdnRMzH5UvSyV/cQwD/S7wJQosInbyhzlOfT8RIAQ3dwCdB50ODqJIAv QTc2MTgtLJDVLHBGxEAzLTlN+nAqwP1pwWXWkEHx+eOlcD/CoLH/wLBjV1JBQHTT8VHTuXHucn9T VArihLK/MxDB3RDtxCT9aqBi8iVlAqLCCaGkcB7R/xQz8BT2IlVAFIDscAiE6HD/9RAHEcfAuvD1 YOijgMhnZf/0siIh9uRi6eJxxFDIIaTa/5tunkUytexhHAB10ktCGLH/FXjfQOhgt9E3UUOBTjSy kP+7UE8lx8CAMOjwHtG3pIRj/96iBoHE4MBRCUHAwRoAyjL/bpSbcgsgCMjkQ7gxAFGAEv/GIHPR xOCuYpGixGIhsLaS/6MPpBUJodSg3fAk0jK12XX/e7IVYfYiGVEVobBC6fHj8u/MeSGR6kB+sVPl 4OkhNrD+TX9g0TALIFsPKNFr4buEdwBSJKH7Yi+ZkgFRiVAzYC9mcDNz0jC9AS77yfAtXUHWoTBw 1jJgcGFA+8FRMXBIBKDWQWDz1UEvwNhKT0Ivg9PldAyI8cD/Q3F3IDLxOiQYsRqxOYDdZb930I3A +4Ks4FPRBwFqbSD/PSIhEoBR9eEa0xMx9QDxEP/zsdzRBwFFlvYT9LIbwZIh/+XgCpGbAPkxx3RD lE7DVcH3E4NmsvPwUDLEckCa4NBD+zNnk8JzbZDg4eKx48AKIP/IsiTDyvnJ6D6hImMWQDoh/66x y7whNPdx+yGiwEsS7hP/OGBYIEkCrFK6cLVRCyBg0LvG8Z6UQgpx9QAhQlMasPdGd6Ij+ZBmXeD7 ArRA+XHf6/FYIGzU9KDd4GuvYyFi720ghJHiYumAdiTWxoUf4f/HM/Yxx4TzUkWzqvFT0TwB//Sy x4K5s7+wtJFg0PTB8rD/PyKe+RryT8HwxSFBgFTilvsH8g9AbDvxNKKhcDNR7kX/15fD+Mr5PqE3 A9LkxiTYMv/7sJFiBkF0ANLFj/FZghLj//phcBCGf7+gGrDOkUYA7jBodC9j1mAtoMCYoGcOeABA 1mCZIHBwTG9h1mBjK0ZUchI/EVNfFYGfIF3AtqJ/YD35AyavNeBYgA1w9RA9XTMmXTO1ePA9apA1 AWAssDIskI44mUACumAgU1VQL+AoUlRJwYFQL6FOVPsFZSYgaStA3CGg1Wm3H+H/MiUZ5HiDaYFa AkwhI4LGI/+N8khFk0CmkcbyQ5KTxBwA7xXQJNX1MK5ULQsgkXEc8t8PgGtygsKEtSYiQXcgG/Dv 2cBCsovi3kFheeCiUqFwf3nQpEKe+MP4tVHNEnSiLee2kQogWQFldclRPoQeIL56SFTE0ViSgIET 0WQI4N+2MkORhNYw0MDAVFOwNUB96z8uCSDWoQYyKeeXImTuY5iwvQCqAGm+4C0yXtq0SUZhc0Mw cMP2VCYQ3lIw0AuwYYFhYEn0gDCgzE5FC7BfkEFMwrBykH5JMBBg0i5QCvJhcwvTP8ct5UtC5EFs LWv6kHQR/7nQY0Hs0X7WRbBZhk3QfvD/k0PbkWgwceDeQ6SCd8Ihsf85sdlBbGBZAFHjvhBKktxg fxFxsaK4pWYCU+FSdXjBef04MUHPkf8ik4Z/YIJxGrC/4QKkIWiAWQBFQEmEZMlR/4jwQNE/EldB F2FxgdZgLVD/tEBZAHcgiAJg0FhQSrBMYf5vghHEMdmjgnCUdOTBccP/VgK4IW2grCIUSsiygEAS 8v9JkjxgZkHpQUsS4LJ5gKJQ9VriRqoSUgKgY0PcYMSQ3kKAQX9giAIGby5WcBuxvxv4KhRCkEVA iLAsgi9+5KpfXFBiLT9EMSJTDSDaIDCQTilQYWBCL0AvUf5SisVLQU+RUIKrwt2yBbH6LksBTlCA b6JA8LeBlPH2cHE0RbB4YtA/kVLlGLP/IELHALI2NnEvRI3AbnZzIO9jQSyh6ZGUklA/EWpAjNT/ q5JFwagDy6F+RT2x4GGzUv8c8sjStEF0AHxyAyJmYeQCz9LRWQBMAasCRXhyQISh/2+zH1GeIja0 ZfGbAZEhgID/7uEwNJFTMWSDA24jolEc0f+UgIYxYNBZABgRn6OhIrlE/1aELUGOARUTM+ivsfCR OpL/p9NExIGyL/Q0xF5AWkBnAf/80R9C9dJLQZ5FRrCFoISx/8P4bZDwMDMDf4KkIhUTUMP+IMQQ gkEhopZbvQ++GSeAp4mAvw9e6VxmoKAqS8//TN9N707/T2RfNeJSMmAT1JcjIFWxn8BnjbB3OiLA /2xgcyDM8OehzUNAUaaCGgL/gDBaQH7wtTCGV180ukC2oP+GAGdj+/CAcH5EjcBikDvDX7zCE7bq 4ZFxiAI6KJtBeElMWVJQlYB2kVbxO617NkQnApplTyoAQVnRykV9o3lagEVu3GCNsDufQ1qAVynA XNn0tVVFflNb9JQhFKNagOiCKyBy82ngisVFRAzQXxR7RGAHtmuqw/S1SAxQXxRG8MD3JxFagBB3 JuhwAjH6kKFw+mdbVUYqgFvzD3C68fVQ/wnaBhA489ij2qKa4C9BpgT/WCQbEYMjk/HcQbhQpvGf wP/wsqn0aPmMkLmBghEehMXgnzDRsiB2Y5xBt4FcY0uQrlyt4Rmyg1A6aCdAV697CcBusDBu4fqQ nEFUu0f9jUFTNxHrINUwK5KGIs3B71E7JElVJY3Aebpg0FCMYPAoYykgmZJ0P3ExStoVw4N9lpAA eeAAAwAQEAAAAAADABEQAAAAAAsAAYAIIAYAAAAAAMAAAAAAAABGAAAAAAOFAAAAAAAAAwADgAgg BgAAAAAAwAAAAAAAAEYAAAAAEIUAAAAAAAADAAeACCAGAAAAAADAAAAAAAAARgAAAABShQAA8BMA AB4ACIAIIAYAAAAAAMAAAAAAAABGAAAAAFSFAAABAAAABAAAADguNQALAAyACCAGAAAAAADAAAAA AAAARgAAAAAGhQAAAAAAAAMADYAIIAYAAAAAAMAAAAAAAABGAAAAAAGFAAAAAAAACwAWgAggBgAA AAAAwAAAAAAAAEYAAAAADoUAAAAAAAADABeACCAGAAAAAADAAAAAAAAARgAAAAARhQAAAAAAAAMA GYAIIAYAAAAAAMAAAAAAAABGAAAAABiFAAAAAAAAHgAogAggBgAAAAAAwAAAAAAAAEYAAAAANoUA AAEAAAABAAAAAAAAAB4AKYAIIAYAAAAAAMAAAAAAAABGAAAAADeFAAABAAAAAQAAAAAAAAAeACqA CCAGAAAAAADAAAAAAAAARgAAAAA4hQAAAQAAAAEAAAAAAAAACwAygAggBgAAAAAAwAAAAAAAAEYA AAAAgoUAAAEAAAALADSACyAGAAAAAADAAAAAAAAARgAAAAAAiAAAAAAAAAsANoALIAYAAAAAAMAA AAAAAABGAAAAAAWIAAAAAAAAAgH4DwEAAAAQAAAA6h/NUEafvhGq2qIt6XPiVQIB+g8BAAAAEAAA AOofzVBGn74RqtqiLelz4lUCAfsPAQAAAHMAAAAAAAAAOKG7EAXlEBqhuwgAKypWwgAAUFNUUFJY LkRMTAAAAAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxXSU5ET1dTXEFwcGxpY2F0aW9uIERhdGFc TWljcm9zb2Z0XE91dGxvb2tcb3V0bG9vay5wc3QAAAMA/g8FAAAAAwANNP03AAACAX8AAQAAADEA AAAwMDAwMDAwMEVBMUZDRDUwNDY5RkJFMTFBQURBQTIyREU5NzNFMjU1QzQwMjMzMDAAAAAANhM= --------------E5D3F010375C4C69547080BA-- From owner-med-privacy@venice.essential.org Fri Feb 4 14:51:13 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id 5E51E21B9C for ; Fri, 4 Feb 2000 14:51:12 -0500 (EST) Received: from ix.netcom.com (user-2ini9j4.dialup.mindspring.com [165.121.38.100]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id OAA22657 for ; Fri, 4 Feb 2000 14:50:59 -0500 (EST) Message-ID: <389B2969.6607A9BB@ix.netcom.com> Date: Fri, 04 Feb 2000 11:32:58 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------1C08DF8CCC75BD68F1BFD69B" Subject: [Med-privacy] NIST healthcare PPs This is a multi-part message in MIME format. --------------1C08DF8CCC75BD68F1BFD69B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit [fwd'd for Ross Anderson pm] Ross Anderson wrote: > > I found a number of things wrong with the NIST healthcare protection > profiles, and wrote them up in a short note: > > http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/healthpp.pdf > > Ross --------------1C08DF8CCC75BD68F1BFD69B Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from wisbech.cl.cam.ac.uk ([128.232.0.15]) by mail06.dfw.mindspring.net (Mindspring/Netcom Mail Service) with ESMTP id s9l3a4.g95.33qs88a for ; Fri, 4 Feb 2000 03:26:44 -0500 (EST) Received: from ouse.cl.cam.ac.uk ([128.232.1.87] helo=cl.cam.ac.uk ident=rja14) by wisbech.cl.cam.ac.uk with esmtp (Exim 3.092 #1) id 12Ge4g-0002QB-00; Fri, 04 Feb 2000 08:26:42 +0000 To: Peter Marshall cc: Ross.Anderson@cl.cam.ac.uk Subject: NIST healthcare PPs Date: Fri, 04 Feb 2000 08:26:41 +0000 From: Ross Anderson Message-Id: Hi I found a number of things wrong with the NIST healthcare protection profiles, and wrote them up in a short note: http://www.cl.cam.ac.uk/ftp/users/rja14/.temp/healthpp.pdf I wonder if you could possible post this URL to the med-privacy list? For some reason it won't take postings from me, and the administrator doesn't answer Regards Ross --------------1C08DF8CCC75BD68F1BFD69B-- From owner-med-privacy@venice.essential.org Mon Feb 7 02:22:56 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp7.atl.mindspring.net (smtp7.atl.mindspring.net [207.69.128.51]) by venice.essential.org (Postfix) with ESMTP id 04D3D21AFF for ; Mon, 7 Feb 2000 02:22:56 -0500 (EST) Received: from ix.netcom.com (user-2ini9bk.dialup.mindspring.com [165.121.37.116]) by smtp7.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id CAA00402 for ; Mon, 7 Feb 2000 02:22:54 -0500 (EST) Message-ID: <389E7477.C6CE71B6@ix.netcom.com> Date: Sun, 06 Feb 2000 23:31:02 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] comments on proposed rules ................................................................... American Health Lawyers Association Health Law Highlights ................................................................... Volume 2, Issue 6 February 7, 2000 AHA, AAHP POST DRAFT COMMENTS TO HIPAA PROPOSED CONFIDENTIALITY REGS The American Hospital Association ("AHA") released draft comments on February 3 responding to proposed federal regulations involving confidentiality of medical records under the Health Insurance Portability and Accountability Act ("HIPAA"). The American Association of Health Plans ("AAHP") also posted its comments on the regulations on February 3. Comments on the proposed regulations, published at 64 Fed. Reg. 59917 (Nov. 3, 1999), are due on February 17. Read the AHA's comments at http://www.aha.org/privacyintro2002.html. To read the AAHP comment letter, go to http://www.aahp.org/services/government&advocacy/regulatory/comments/hhsrule .htm. (NOTE: If that link does not work, go to http://www.aahp.org, click on Government and Advocacy, and then look under "Federal and State Health Policy" for a link to the comment letter.) ................................................................... Copyright (c)2000 American Health Lawyers Association ................................................................... From owner-med-privacy@venice.essential.org Thu Feb 10 15:37:25 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 1FE3B21AFF for ; Thu, 10 Feb 2000 15:37:25 -0500 (EST) Received: from ix.netcom.com (stl-wa35-54.ix.netcom.com [207.220.42.54]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id PAA30818; Thu, 10 Feb 2000 15:37:21 -0500 (EST) Message-ID: <38A320E4.9FC72B00@ix.netcom.com> Date: Thu, 10 Feb 2000 12:34:44 -0800 From: Peter Marshall Reply-To: declan@well.com X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] public participation on med-privacy [I mentioned this case-of-the-disappearing-faxes in my column last week: http://www.wired.com/news/print/0,1294,34126,00.html For shame! I understand that bureaucrats may not really want to listen to the general public (there are few institutional incentives), but a public fax number should be just that. -Declan] >From: "Melissa Thompson" >To: "Declan McCullagh (E-mail)" >Subject: Buried in the A Section this morning... >Date: Thu, 10 Feb 2000 11:52:34 -0500 > >Declan, > >This article was buried in the A Section of the Washington Post this >morning. If it's true that the HHS provided a fax number as a means for the >public to opine, then the HHS should have made every effort to include those >opinions in their consideration. The same goes for email. If a government >agency provides an email address to which the public can opine, then the >correspondence on email should carry the same weight as the requested paper >correspondence in triplicate!!! UNLESS the HHS makes clear that fax or >email correspondence will not be weighed equally (not that that's fair, but >if that is the case...), the correspondence SHOULD carry the same weight. > >I am a consultant who spends time with political and grassroots clients >figuring out ways to open lines of communication online. The government >needs to get with the program for this new form of democracy to work! > >Thanks for listening, >Melissa > >******************************************** > >A Fight Over the Fax >HHS Rejects Comments Via ACLU on Medical Privacy >By Ben White >Washington Post Staff Writer >Thursday, February 10, 2000; Page A21 > >A week from today, the period for public comment on medical privacy >regulations drafted by the Department of Health and Human Services will end. >But according to the American Civil Liberties Union, the public will not >have been able to comment much. > >ACLU officials contend HHS disregarded thousands of faxes sent through the >aclu web site from citizens concerned that the regulations do not go far >enough. ACLU officials also argue that HHS generally makes it far too >difficult for people to offer comments on important issues. > >HHS officials counter that the agency has never accepted public comment via >fax and say they have a well-established mechanism for receiving comments on >the agency's Web site or via letter. > >"I'm not here to say that this is generated by malice of forethought on >their [HHS's] part. I'm just surprised by the digging in that they are doing >in not accommodating the high level of interest on this," said Laura Murphy, >director of the D.C. office of the ACLU. > >The dust-up began when President Clinton unveiled rules in October designed >to protect the privacy of individual medical records in an era when an >increasing amount of personal information flows easily over the Internet. > >While generally supportive of efforts to restrict access to medical records, >the ACLU criticized the administration's effort as too limp in areas, from >law enforcement access to government database creation. The group began a >campaign on its Web site to alert people to what it saw as flaws in the >proposed regulations. > >ACLU officials say they used an HHS-provided fax number for comments in a >form on the ACLU Web site allowing individuals to send a personalized fax >directly to the agency urging that the regulations be strengthened. [...] -------------------------------------------------------------------------- From owner-med-privacy@venice.essential.org Mon Feb 14 15:33:31 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb02.eng00.mindspring.net (fb02.eng00.mindspring.net [207.69.229.20]) by venice.essential.org (Postfix) with ESMTP id 0B24B21B37 for ; Mon, 14 Feb 2000 15:31:04 -0500 (EST) Received: from ix.netcom.com (user-2ini8rn.dialup.mindspring.com [165.121.35.119]) by fb02.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA17678; Mon, 14 Feb 2000 15:30:56 -0500 (EST) Message-ID: <38A864FF.BD8538D1@ix.netcom.com> Date: Mon, 14 Feb 2000 12:26:39 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org, tp-w@onelist.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Regulation P ................................................................... American Health Lawyers Association Health Law Highlights ................................................................... Volume 2, Issue 7 February 14, 2000 FEDERAL RESERVE BOARD SEEKS COMMENTS ON CONSUMER PRIVACY REGULATION The Federal Reserve Board published for comment its proposed new Regulation P (Privacy of Consumer Financial Information). The regulation would implement the Gramm-Leach-Bliley Act proposed rule provisions that govern the protection and disclosure by financial institutions of nonpublic personal information about consumers. The proposed regulation states that personally identifiable financial information includes medical information. To link to the proposed regulation, go to http://www.federalreserve.gov/BoardDocs/Meetings/2000/20000203/OpenMemos.htm . Copyright (c)2000 American Health Lawyers Association From owner-med-privacy@venice.essential.org Thu Feb 3 13:30:55 2000 Return-Path: Delivered-To: med-privacy@lists.essential.org Received: from server.csdg.com (server.csdg.com [209.94.137.186]) by venice.essential.org (Postfix) with SMTP id C6CE221AFF for ; Thu, 3 Feb 2000 13:30:54 -0500 (EST) Received: from www.csdg.com by server.csdg.com via smtpd (for venice.essential.org [216.0.124.17]) with SMTP; 3 Feb 2000 18:39:49 UT Received: by ANAKIN with Internet Mail Service (5.5.2448.0) id <1F4S8PJY>; Thu, 3 Feb 2000 13:27:01 -0500 Message-ID: From: "Skowyra, Joyce" To: "'Med-privacy@lists.essential.org'" Date: Thu, 3 Feb 2000 13:26:59 -0500 Return-Receipt-To: "Skowyra, Joyce" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Subject: [Med-privacy] Unsubscribe Thanks ------------------------------------------------ Joyce M. Skowyra, Account Executive Court Square Data Group, Inc. 1391 Main Street Springfield, MA 01103-1619 joyce@csdg.com http://www.csdg.com 413.746.0054 Voice 413.746.0058 Fax Information solutions that work in the real world From owner-med-privacy@venice.essential.org Sun Feb 13 11:01:53 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from mail.il.freei.net (mail.il.freei.net [216.225.0.117]) by venice.essential.org (Postfix) with ESMTP id E02DB21AFF for ; Sun, 13 Feb 2000 11:01:52 -0500 (EST) Received: from il.freei.net (dial153.b2.tnt1.chi.il.freei.net [216.225.57.153]) by mail.il.freei.net (8.9.3/8.9.3) with ESMTP id KAA54341 for ; Sun, 13 Feb 2000 10:01:50 -0600 (CST) (envelope-from tazjuliet1@il.freei.net) Message-ID: <38A6D6C6.391820F@il.freei.net> Date: Sun, 13 Feb 2000 10:07:35 -0600 From: Brigitte Schultz X-Mailer: Mozilla 4.61 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] need info can you tell me how to get old records or how to find theold records from Manteno State Hospital On my great grand father. sincerly Brigitte Schultz From owner-med-privacy@venice.essential.org Fri Feb 18 13:42:35 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb04.eng00.mindspring.net (fb04.eng00.mindspring.net [207.69.200.170]) by venice.essential.org (Postfix) with ESMTP id 75D4B21B06 for ; Fri, 18 Feb 2000 13:42:35 -0500 (EST) Received: from ix.netcom.com (user-2ini8c6.dialup.mindspring.com [165.121.33.134]) by fb04.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA14559; Fri, 18 Feb 2000 13:42:33 -0500 (EST) Message-ID: <38AD9468.67887B13@ix.netcom.com> Date: Fri, 18 Feb 2000 10:50:25 -0800 From: Peter Marshall Reply-To: The Up for Grabs Discussion List X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] FTC & healthcare-related sites COMMUNICATIONS-RELATED HEADLINES for FEBRUARY 18, 2000 FTC REVIEWS PRIVACY ISSUES AT HEALTH WEB SITES Issue: Privacy/Health The FTC has decided to launch a broad review of health-care Web sites to see if they are improperly sharing visitors personal information with third parties. "Based on what we've seen, there's reason to be concerned that there are a number of health companies out there that are not keeping their promises to consumers about the way they're handling personal information," said Richard Cleland from the FTC. A group of health-care Internet companies have formed an association called the Hi-Ethics Alliance to deal with privacy and ethics issues. HealthCentral.com and iVillage.com are two of the sites under investigation. [SOURCE: Wall Street Journal (B6), AUTHOR: Jerry Guidera, Glenn Simpson, Nick Wingfield] (http://interactive.wsj.com/articles/SB950832549204953612.htm) (c)Benton Foundation 2000 From owner-med-privacy@venice.essential.org Fri Feb 18 15:25:15 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id B8A0C21B06 for ; Fri, 18 Feb 2000 15:25:14 -0500 (EST) Received: from ix.netcom.com (user-2ini8hp.dialup.mindspring.com [165.121.34.57]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA05875 for ; Fri, 18 Feb 2000 15:25:13 -0500 (EST) Message-ID: <38ADAC78.1C78412B@ix.netcom.com> Date: Fri, 18 Feb 2000 12:33:01 -0800 From: Peter Marshall Reply-To: newsletter@INNSURE.COM X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] more on proposed Fed. rules Feb. 17, 2000 * http://www.insure.com Prying eyes: Medical records at risk http://www.insure.com/health/medicalprivacy200.html insure.com http://www.insure.com From owner-med-privacy@venice.essential.org Mon Feb 21 11:45:17 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id 3216521B02 for ; Mon, 21 Feb 2000 11:45:17 -0500 (EST) Received: from ix.netcom.com (user-2ini9ed.dialup.mindspring.com [165.121.37.205]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id LAA18859; Mon, 21 Feb 2000 11:45:09 -0500 (EST) Message-ID: <38B16D6C.F9F41E51@ix.netcom.com> Date: Mon, 21 Feb 2000 08:53:00 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] responses to proposed Fed. med-privacy rules Proposal About Confidentiality of Medical Information Draws Plaudits, Complaints By Julie Rovner WASHINGTON, Feb 18 (Reuters Health) - The Clinton administration's proposed rules to protect the privacy of electronic medical information drew both praise and complaints from privacy advocates and healthcare industry officials at a House subcommittee on Thursday, the final day for the public to submit comments. Among those complaining about the rule was the Clinton administration itself. Those complaints, delivered by Dr. Margaret Hamburg, Assistant Secretary for Planning and Evaluation in the Department of Health and Human Services (HHS), largely stemmed from the constraints put on the department by Congress in devising the rules. In the 1996 Health Insurance Portability and Accountability Act (HIPAA), Congress ordered itself to enact a comprehensive confidentiality law, stipulating that if it missed its August 21, 1999 deadline to act, the administration would be required to issue its own confidentiality rules. But HIPAA restricted the scope of those rules, Dr. Hamburg told the Ways and Means Subcommittee on Health, to apply only to electronic records, not paper, and to regulate only certain entities, including health plans, healthcare clearinghouses, and healthcare providers that transmit electronic information. The result, she said, is that "this leaves many entities that receive, use and disclose protected health information outside of the system of protection that we propose to create." Privacy advocates lauded the administration for one way that it sought to make up for that gap: by requiring the "business partners" of regulated entities, such as lawyers and accountants, to enter into contracts agreeing to abide by the confidentiality rules. Janlori Goldman of the Georgetown University Health Privacy Project called the business partner section "a good intermediary step to fulfill the intention of the privacy language of HIPAA." But the health industry said that the requirement is unfair and unworkable. "The definition of business partner is so broad that physicians could be the business partner of independent laboratories, health plans could be the business partners of their lawyers and accountants, and hospitals could be the business partners of independent physicians that practice within their walls," testified Alissa Fox of the Blue Cross and Blue Shield Association. Industry officials, however, praised the portion of the regulation that would not require separate authorizations for the use of identifiable information for routine treatment, payment and healthcare operations. "When individual hospitals and providers experience millions of patient encounters every day, seeking an individual authorization to disclose information for each of those encounters — and the transactions resulting from them — would have a catastrophic effect on our healthcare system and on patient care," testified Mary Grealy, president of the Healthcare Leadership Council. That same portion of the regulation, however, drew criticism from those concerned about privacy. "The administration's proposal turns its back on the historic requirement for patient consent before the dissemination of medical records information," according to testimony submitted for the record by the American Psychiatric Association. "Regrettably, the proposed rule would authorize the automatic dissemination of patients' medical records, including highly sensitive information." As of Wednesday, Dr. Hamburg told the subcommittee, HHS had received more than 40,000 comments on the regulations, far more than it expected. While Dr. Hamburg would not speculate for reporters after the hearing about when a final rule will be issued, she did promise it before the end of the year. Privacy advocates say that they expect action much sooner, possibly as early as late spring. Copyright © 1999 Reuters Ltd. From owner-med-privacy@venice.essential.org Mon Feb 21 14:52:18 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id 2198521B02 for ; Mon, 21 Feb 2000 14:52:18 -0500 (EST) Received: from ix.netcom.com (user-2ini8pb.dialup.mindspring.com [165.121.35.43]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id OAA13705 for ; Mon, 21 Feb 2000 14:52:10 -0500 (EST) Message-ID: <38B19941.7BA75B9B@ix.netcom.com> Date: Mon, 21 Feb 2000 12:00:17 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] CyberTrust (GTE) on HIPPA HE TOP 5 THINGS YOU NEED TO KNOW ABOUT HIPPA By Karen Guenther, Vice president, business development [....] HIPAA has been referred to as 'the next Y2K,' which will have a profound impact on healthcare organizations and professionals. [....] 1. HIPAA: The Health Insurance Portability Act, otherwise known as the Kennedy Kassebaum law, is federal legislation that requires congress to, "Improve...the efficiency and effectiveness of the healthcare system by encouraging the establishment of standards and requirements for the electronic transfer of certain health care information." Put simply, this means that healthcare organizations that transfer records and information electronically must follow certain standards for ensuring the records remain secure and confidential. These proposed security standards were published in the Federal Register on August 12, 1998. "HIPAA requires that all health plans, health care providers, and health care clearing houses that maintain or transmit health information electronically establish and maintain appropriate administrative, technical, and physical safeguards to ensure," (Federal Register, Vol. 63, No. 155) Confidentiality: Keeping all transfers of information private. Ensuring that information is not made available or disclosed to unauthorized individuals. Integrity: Ensuring that data has not been changed or altered en route or in storage. Authentication: Making sure the person sending the message is who he or she claims to be. Non-repudiation: Once a transaction occurs neither the originator nor the recipient can deny that it took place. Authorization: Allowing authenticated users access to network information and resources based on defined privileges. 2. To comply your healthcare organization must have a Public Key Infrastructure (PKI): The solution that will satisfy HIPAA will be a combination of technologies that will incorporate PKI. PKI, in simplest terms, is a technology infrastructure that manages healthcare user identities in a secure, on-line environment and provides the underlying technology for confidentiality, integrity, authentication, and non-repudiation. PKI is uniquely capable of meeting HIPAA mandates, and as the Federal Government says in HIPAA, PKI is "the only mature technology" available today to meet the digital signature standards. " 3. Public Key Infrastructure in a Nutshell: PKI stands for Public Key Infrastructure. PKI, based on software and encryption technology, has been created to secure transactions on the Internet. The foundation of PKI is public key cryptography, an encryption method that uses a two-part key (code) that consists of a public and private component. The message is sent encrypted with the public key and is then read by the recipient with his or her own private key. This technology is quickly becoming the best way to ensure safe business-to-business communication using tools such as certificate authorities and digital certificates to create an enterprise-wide security network. Digital certificates, (electronic credentials) are a legally binding electronic confirmation for business transactions. It provides irrefutable proof that you are who you say you are, and that you can legally sign off on a business transaction. Non-repudiation is a key element of extranet-based business, and password/PIN technology can't do that. Passwords and PINs are not secure, and because of that they actually hold companies back from realizing the full potential of how they can do business online. Password/PIN is a very low level of security, which may be all right if the business you're transacting is of low value, like buying a book, a CD, or even a plane ticket. But it's completely inadequate for high-value, business-to-business transactions. Also, it's too risky for highly personal information, such as healthcare records. 4. Healthcare-related Information and Applications that will be affected. Any type of patient identifiable information, such as health claims or equivalent encounter information, health claim attachments, enrollment and dis-enrollment in a health plans, eligibility for a health plan, health care payment and remittance advice, health plan premium payments, first report of injury, health claim status, referral certification and authorization. 5. Healthcare organizations that will be affected: Department of Health and Human Services HCFA (Health Care Financing Administration), State Medicaid agencies, Health plans / Health Insurers, Healthcare providers; hospitals, clinics, physician practices, Healthcare clearinghouses, and Healthcare web site designers and hosts. [....] When it comes to medical information, it is essential that healthcare providers implement PKI security infrastructures so they can use digital certificates to securely store, transmit and access health records electronically. The thought of personal information on a public network can be intimidating and patients need to be assured that their private medical histories continue to maintain unparalleled confidentiality. Copyright 1996-2000 GTE Service Corporation From owner-med-privacy@venice.essential.org Mon Feb 21 15:41:10 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp7.atl.mindspring.net (smtp7.atl.mindspring.net [207.69.128.51]) by venice.essential.org (Postfix) with ESMTP id 7B70321B02 for ; Mon, 21 Feb 2000 15:41:10 -0500 (EST) Received: from ix.netcom.com (user-2ini8a9.dialup.mindspring.com [165.121.33.73]) by smtp7.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA24484 for ; Mon, 21 Feb 2000 15:41:06 -0500 (EST) Message-ID: <38B1A33F.E8746799@ix.netcom.com> Date: Mon, 21 Feb 2000 12:48:59 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] HealthKey > http://www.ama-assn.org/sci-pubs/amnews/pick_00/bisb0207.htm > [AMNews] [American Medical News] > Grant money to fuel Internet privacy policy research > > Physicians are likely recruits in a five-state project to > develop privacy standards for Internet data transmission. > Markets > [*]Opinion By Tyler Chin, AMNews staff. Feb. 7, 2000. > ---------------------------------------------------------- > [*]Organized > Medicine A consortium of five statewide community health > information organizations has been awarded a $2.5 million > [*]Business grant by the Robert Wood Johnson Foundation to develop > & Technology confidentiality policies and test security technologies > for transmitting sensitive health data over the Internet. > [*]Health & > Science Under a project dubbed HealthKey, the consortium will > jointly craft privacy and confidentiality policies. Each > E-mail alerts organization also will individually enlist some of its > Past issues members -- physician offices, clinics, insurance > Reader services companies and state government agencies -- to test ways > to securely and privately exchange electronic mail, > Staff directory transactions and data through the Internet. > > Feedback Members of the consortium will test what is called public > key infrastructure in three areas: secure > person-to-person messaging, secure point-to-point > transactions from one organization to another and secure > role-based access enabling authorized physicians and > others to access an organization's clinical and > administrative databases. > > Minneapolis-based Minnesota Health Data Institute, for > example, plans to work with the Minnesota Medical Assn. > to recruit physicians to test secure messaging with each > other and transactions with insurance companies, said > John Fraser, institute director of information systems. > > The institute will use public key infrastructure with > electronic directories or white pages, enabling pilot > participants to encrypt that information, digitally sign > documents and use digital certificates to authenticate > and verify users' identities. > > It also will test simplified sign-on, enabling a > physician to access multiple applications by logging onto > a network only once, Fraser said. He emphasized that the > organizations owning the data will determine who will > have access to it. > > "The concern about data confidentiality is so big right > now that we're going to look long and hard at any > technology that is out there to assure physicians and > their patients that their information will be kept > confidential," said Pat Hanson, manager of quality and > data at the MMA. > [-] > In addition to the institute in Minnesota, other members > of the HealthKey consortium are the Community Health > Information Technology Alliance, part of the > Seattle-based Foundation for Health Care Quality, the > nonprofit administering the grant; Massachusetts Health > Data Institute, Waltham; North Carolina Health > Information and Communications Alliance, Research > Triangle Park; and Utah Health Information Network, Salt > Lake City. > > The membership organizations promote using > standards-based transactions and technologies to ensure > interoperability between information systems from > different organizations and their trading partners. > > As they work, HealthKey members will share knowledge and > best practices at the HealthKey site > (http://www.healthkey.org/). > > The HealthKey project will benefit health care players in > each participant's region; it also could provide a road > map for physician offices and other health care > organizations as they seek to comply with the Health > Insurance Portability and Accountability Act of 1996, > said project participants and industry observers. > > The reason is that HIPAA requires health care > organizations to protect the security and confidentiality > of e-data, but it does not tell them specifically how to > do that, said Françoise Gilbert, a partner at Gray Cary > Ware Freidenrich, a Palo Alto, Calif., law firm. > > The U.S. Dept. of Health and Human Services is scheduled > to publish a final rule governing security in May, to be > effective in July 2002. > > HHS hasn't said when it will publish a final privacy > rule; however, the rule would be effective 26 months > after it is published. > > After the HealthKey project is over, some of the > community networks plan to license or sell their > products. These include Minnesota and Utah, which > emphasized that they're trying to develop simple, easy > and affordable products to help small to medium-sized > physician offices and providers deal with the emergence > of the Internet as a platform for exchanging health data > and HIPAA requirements. > > Some health care trade associations are undertaking > similar work as HealthKey, but their initiatives are > narrower in scope, said Laura Ripp, project coordinator > of HealthKey. From owner-med-privacy@venice.essential.org Mon Feb 21 17:47:07 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from ee.net (ee.net [206.222.1.5]) by venice.essential.org (Postfix) with ESMTP id 61C3421B02 for ; Mon, 21 Feb 2000 17:47:06 -0500 (EST) Received: from survey1 (33128.cmh.dialup.thenap.net [209.190.33.128]) by ee.net (8.9.0/8.9.0) with ESMTP id RAA21357; Mon, 21 Feb 2000 17:42:46 -0500 (EST) Message-Id: <4.2.2.20000221174149.00c4bf00@pop.win.org> X-Sender: jhenry@pop.win.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 21 Feb 2000 17:44:00 -0500 To: Peter Marshall , med-privacy@venice.essential.org From: Jim Henry Subject: Re: [Med-privacy] CyberTrust (GTE) on HIPPA In-Reply-To: <38B19941.7BA75B9B@ix.netcom.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_3777641==_.ALT" --=====================_3777641==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed Peter, You/List subscribers can review our Free WhitePaper for Healthcare/Pharmaceutical Industries electronic records HIPAA compliance; **Healthcare's Security Solutions to Protect Patient Privacy & HIPAA** Use Code/ID "188" to receive (2 page executive management report) @ In addition an executive brief/white paper on "The New Internet Guardians." Reference Pages 8, 9, 10, 11 regarding cost factors to your organization(s) in respect to email security compliance & ROI of HIPAA implementation. **Note** you may also use this code/id for additional Free Trial evals/demo's/WhitePapers regarding; Internet Security/Encryption for HIPAA. Please feel free to extend this limited time invitation to your Staff/Depts. At 12:00 PM 02/21/2000 -0800, Peter Marshall wrote: >HE TOP 5 THINGS YOU NEED TO KNOW ABOUT HIPPA >By Karen Guenther, Vice president, business development > >[....] > > HIPAA has been referred to as >'the next Y2K,' which will have a profound >impact on healthcare organizations and >professionals. > >[....] > >1. HIPAA: The Health Insurance Portability >Act, otherwise known as the Kennedy >Kassebaum law, is federal legislation >that requires congress to, >"Improve...the efficiency and >effectiveness of the healthcare system >by encouraging the establishment of >standards and requirements for the >electronic transfer of certain health >care information." Put simply, this >means that healthcare organizations that >transfer records and information >electronically must follow certain >standards for ensuring the records >remain secure and confidential. These >proposed security standards were >published in the Federal Register on >August 12, 1998. "HIPAA requires that >all health plans, health care providers, >and health care clearing houses that >maintain or transmit health information >electronically establish and maintain >appropriate administrative, technical, >and physical safeguards to ensure," >(Federal Register, Vol. 63, No. 155) > >Confidentiality: Keeping all transfers >of information private. Ensuring that >information is not made available or >disclosed to unauthorized individuals. > >Integrity: Ensuring that data has not >been changed or altered en route or in >storage. > >Authentication: Making sure the person >sending the message is who he or she >claims to be. > >Non-repudiation: Once a transaction >occurs neither the originator nor the >recipient can deny that it took place. > >Authorization: Allowing authenticated >users access to network information and >resources based on defined privileges. > >2. To comply your healthcare organization >must have a Public Key Infrastructure >(PKI): The solution that will satisfy >HIPAA will be a combination of >technologies that will incorporate PKI. >PKI, in simplest terms, is a technology >infrastructure that manages healthcare >user identities in a secure, on-line >environment and provides the underlying >technology for confidentiality, >integrity, authentication, and >non-repudiation. PKI is uniquely capable >of meeting HIPAA mandates, and as the >Federal Government says in HIPAA, PKI is >"the only mature technology" available >today to meet the digital signature >standards. " > >3. Public Key Infrastructure in a Nutshell: >PKI stands for Public Key >Infrastructure. PKI, based on software >and encryption technology, has been >created to secure transactions on the >Internet. The foundation of PKI is >public key cryptography, an encryption >method that uses a two-part key (code) >that consists of a public and private >component. The message is sent encrypted >with the public key and is then read by >the recipient with his or her own >private key. This technology is quickly >becoming the best way to ensure safe >business-to-business communication using >tools such as certificate authorities >and digital certificates to create an >enterprise-wide security network. > >Digital certificates, (electronic >credentials) are a legally binding >electronic confirmation for business >transactions. It provides irrefutable >proof that you are who you say you are, >and that you can legally sign off on a >business transaction. Non-repudiation is >a key element of extranet-based >business, and password/PIN technology >can't do that. > >Passwords and PINs are not secure, and >because of that they actually hold >companies back from realizing the full >potential of how they can do business >online. Password/PIN is a very low level >of security, which may be all right if >the business you're transacting is of >low value, like buying a book, a CD, or >even a plane ticket. But it's completely >inadequate for high-value, >business-to-business transactions. Also, >it's too risky for highly personal >information, such as healthcare records. > >4. Healthcare-related Information and >Applications that will be affected. Any >type of patient identifiable >information, such as health claims or >equivalent encounter information, health >claim attachments, enrollment and >dis-enrollment in a health plans, >eligibility for a health plan, health >care payment and remittance advice, >health plan premium payments, first >report of injury, health claim status, >referral certification and >authorization. > >5. Healthcare organizations that will be >affected: Department of Health and Human >Services HCFA (Health Care Financing >Administration), State Medicaid >agencies, Health plans / Health >Insurers, Healthcare providers; >hospitals, clinics, physician practices, >Healthcare clearinghouses, and >Healthcare web site designers and hosts. > >[....] > > When it comes >to medical information, it is essential that >healthcare providers implement PKI security >infrastructures so they can use digital >certificates to securely store, transmit and >access health records electronically. The >thought of personal information on a public >network can be intimidating and patients need >to be assured that their private medical >histories continue to maintain unparalleled >confidentiality. > >Copyright >1996-2000 >GTE Service >Corporation > > >_______________________________________________ >Med-privacy mailing list >Med-privacy@lists.essential.org >http://lists.essential.org/mailman/listinfo/med-privacy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Jim Henry, Ex Dir Strategic Alliances JH&A 614.771.4805 / 888.859.8644 Voice / 614.771.4806 Fax 'Advanced E Mail Solutions' Free Trial Demos/WhitePapers Use code/id 110 --=====================_3777641==_.ALT Content-Type: text/html; charset="us-ascii" Peter,

You/List subscribers can review our Free WhitePaper for Healthcare/Pharmaceutical Industries electronic records HIPAA compliance; **Healthcare's Security Solutions to Protect Patient Privacy & HIPAA** Use Code/ID "188" to receive (2 page executive management report) @ <http://www.surveyssay.com>

In addition an executive brief/white paper on "The New Internet Guardians." Reference Pages 8, 9, 10, 11 regarding cost factors to your organization(s) in respect to email security compliance & ROI of HIPAA implementation.  **Note** you may also use this code/id for additional Free Trial evals/demo's/WhitePapers regarding; Internet Security/Encryption for HIPAA. Please feel free to extend this limited time invitation to your Staff/Depts.


At 12:00 PM 02/21/2000 -0800, Peter Marshall wrote:
HE TOP 5 THINGS YOU NEED TO KNOW ABOUT HIPPA
By Karen Guenther, Vice president, business development

[....]

 HIPAA has been referred to as
'the next Y2K,' which will have a profound
impact on healthcare organizations and
professionals.

[....]

1. HIPAA: The Health Insurance Portability
Act, otherwise known as the Kennedy
Kassebaum law, is federal legislation
that requires congress to,
"Improve...the efficiency and
effectiveness of the healthcare system
by encouraging the establishment of
standards and requirements for the
electronic transfer of certain health
care information." Put simply, this
means that healthcare organizations that
transfer records and information
electronically must follow certain
standards for ensuring the records
remain secure and confidential. These
proposed security standards were
published in the Federal Register on
August 12, 1998. "HIPAA requires that
all health plans, health care providers,
and health care clearing houses that
maintain or transmit health information
electronically establish and maintain
appropriate administrative, technical,
and physical safeguards to ensure,"
(Federal Register, Vol. 63, No. 155)

Confidentiality: Keeping all transfers
of information private. Ensuring that
information is not made available or
disclosed to unauthorized individuals.

Integrity: Ensuring that data has not
been changed or altered en route or in
storage.

Authentication: Making sure the person
sending the message is who he or she
claims to be.

Non-repudiation: Once a transaction
occurs neither the originator nor the
recipient can deny that it took place.

Authorization: Allowing authenticated
users access to network information and
resources based on defined privileges.

2. To comply your healthcare organization
must have a Public Key Infrastructure
(PKI): The solution that will satisfy
HIPAA will be a combination of
technologies that will incorporate PKI.
PKI, in simplest terms, is a technology
infrastructure that manages healthcare
user identities in a secure, on-line
environment and provides the underlying
technology for confidentiality,
integrity, authentication, and
non-repudiation. PKI is uniquely capable
of meeting HIPAA mandates, and as the
Federal Government says in HIPAA, PKI is
"the only mature technology" available
today to meet the digital signature
standards. "

3. Public Key Infrastructure in a Nutshell:
PKI stands for Public Key
Infrastructure. PKI, based on software
and encryption technology, has been
created to secure transactions on the
Internet. The foundation of PKI is
public key cryptography, an encryption
method that uses a two-part key (code)
that consists of a public and private
component. The message is sent encrypted
with the public key and is then read by
the recipient with his or her own
private key. This technology is quickly
becoming the best way to ensure safe
business-to-business communication using
tools such as certificate authorities
and digital certificates to create an
enterprise-wide security network.

Digital certificates, (electronic
credentials) are a legally binding
electronic confirmation for business
transactions. It provides irrefutable
proof that you are who you say you are,
and that you can legally sign off on a
business transaction. Non-repudiation is
a key element of extranet-based
business, and password/PIN technology
can't do that.

Passwords and PINs are not secure, and
because of that they actually hold
companies back from realizing the full
potential of how they can do business
online. Password/PIN is a very low level
of security, which may be all right if
the business you're transacting is of
low value, like buying a book, a CD, or
even a plane ticket. But it's completely
inadequate for high-value,
business-to-business transactions. Also,
it's too risky for highly personal
information, such as healthcare records.

4. Healthcare-related Information and
Applications that will be affected. Any
type of patient identifiable
information, such as health claims or
equivalent encounter information, health
claim attachments, enrollment and
dis-enrollment in a health plans,
eligibility for a health plan, health
care payment and remittance advice,
health plan premium payments, first
report of injury, health claim status,
referral certification and
authorization.

5. Healthcare organizations that will be
affected: Department of Health and Human
Services HCFA (Health Care Financing
Administration), State Medicaid
agencies, Health plans / Health
Insurers, Healthcare providers;
hospitals, clinics, physician practices,
Healthcare clearinghouses, and
Healthcare web site designers and hosts.

[....]

 When it comes
to medical information, it is essential that
healthcare providers implement PKI security
infrastructures so they can use digital
certificates to securely store, transmit and
access health records electronically. The
thought of personal information on a public
network can be intimidating and patients need
to be assured that their private medical
histories continue to maintain unparalleled
confidentiality.

Copyright
1996-2000
GTE Service
Corporation


_______________________________________________
Med-privacy mailing list
Med-privacy@lists.essential.org
http://lists.essential.org/mailman/listinfo/med-privacy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jim Henry, Ex Dir Strategic Alliances
JH&A  614.771.4805 / 888.859.8644 Voice  /  614.771.4806 Fax
'Advanced E Mail Solutions'  Free Trial Demos/WhitePapers Use code/id 110 --=====================_3777641==_.ALT-- From owner-med-privacy@venice.essential.org Mon Feb 21 20:50:37 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp7.atl.mindspring.net (smtp7.atl.mindspring.net [207.69.128.51]) by venice.essential.org (Postfix) with ESMTP id 5412821B0A for ; Mon, 21 Feb 2000 20:50:37 -0500 (EST) Received: from ix.netcom.com (user-2ini8s8.dialup.mindspring.com [165.121.35.136]) by smtp7.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id UAA12665; Mon, 21 Feb 2000 20:50:26 -0500 (EST) Message-ID: <38B1EBBF.D5FEB8E6@ix.netcom.com> Date: Mon, 21 Feb 2000 17:52:13 -0800 From: Peter Marshall Reply-To: owner-news@lists.aclu.org X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] ACLU on proposed Fed. med-privacy rules 02-21-2000 ACLU Newsfeed -- ACLU News Direct to YOU! ------------------------------------------------------------- Although Medical Privacy Regulations an Important First Step, ACLU Also Criticizes Loopholes Thursday, February 17, 2000 WASHINGTON -- The Clinton Administration's proposed medical privacy regulations include several loopholes that threaten the Administration's laudable premise that medical information is private and may not be disclosed to third parties without prior consent, the American Civil Liberties Union said today. "The Administration's proposed regulations are an important first step toward comprehensive federal privacy protections," said Ronald Weich, an ACLU Legislative Consultant. "But there are so many loopholes to the Administration's overall rule that medical records are private that the exceptions threaten to become the rule." While the proposed regulations do a good job of shielding medical information from disclosure for commercial reasons, the ACLU said that they provide a series of exceptions for government access to data, including for law enforcement agencies and public health agencies. "For many patients," the ACLU said, "the fear of government access to private medical information is as chilling as the fear of commercial access. In fact, many Americans regard the government as more of a threat to liberty than the private sector." The ACLU took particularly harsh aim at the Administration's plans to allow law enforcement agencies virtually unlimited access to medical records. This loophole is so large, the ACLU said, that it "permits computerized medical records to become a vast centralized police database." "Medical records of ordinary law-abiding Americans must not be treated like mug shots, fingerprints or other current databases compiled from convicted criminals," the ACLU said. The ACLU's other primary concerns with the regulations include the broad privacy exceptions for medical information collected by the government itself and what the ACLU called a significant omission to the Administration's proposal: there is no requirement that a doctor obtain a patient's authorization before using the patient's medical records for treatment, payment or health care operations. "The ACLU believes that patients own their medical records," the ACLU said. "It follows that those records cannot be used for any purpose without the patient's consent." The ACLU's formal comments came on the last day of the comments period. In addition to filing its own suggested changes, the ACLU said that more than 11,000 people had visited its special medical records web site, filing approximately 10,000 comments with the Administration. The ACLU's comments can be found at: http://www.aclu.org/congress/l021700a.html From owner-med-privacy@venice.essential.org Tue Feb 22 19:56:27 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from hotmail.com (law-oe5.hotmail.com [209.185.130.239]) by venice.essential.org (Postfix) with SMTP id A907521B09 for ; Tue, 22 Feb 2000 19:56:26 -0500 (EST) Received: (qmail 77903 invoked by uid 65534); 23 Feb 2000 00:56:21 -0000 Message-ID: <20000223005621.77902.qmail@hotmail.com> X-Originating-IP: [199.174.217.196] From: "arty" To: Date: Tue, 22 Feb 2000 16:58:16 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003D_01BF7D56.03148880" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Subject: [Med-privacy] (no subject) This is a multi-part message in MIME format. ------=_NextPart_000_003D_01BF7D56.03148880 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsubscribe ------=_NextPart_000_003D_01BF7D56.03148880 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
unsubscribe
------=_NextPart_000_003D_01BF7D56.03148880-- From owner-med-privacy@venice.essential.org Thu Feb 24 15:21:54 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb00.eng00.mindspring.net (fb00.eng00.mindspring.net [207.69.200.31]) by venice.essential.org (Postfix) with ESMTP id 4579221AFF for ; Thu, 24 Feb 2000 15:21:50 -0500 (EST) Received: from ix.netcom.com (user-2ini8c5.dialup.mindspring.com [165.121.33.133]) by fb00.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA21782 for ; Thu, 24 Feb 2000 15:21:46 -0500 (EST) Message-ID: <38B59340.497E9537@ix.netcom.com> Date: Thu, 24 Feb 2000 12:23:43 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] VOICE: "BODY POLITICS" Published February 23 - 29, 2000 BODY POLITICS BY SHARON LERNER Medicaid Records Dispute Plagues City’s Workfare Program A Question of Privacy ven before it's begun, a new program designed to place nondisabled, HIV-positive people in workfare has reignited concerns about the misuse of medicaid records. Questions about medical confidentiality—now being explored by federal investigators—have made the necessarily delicate task of creating an HIV-specific workfare program that much trickier. Since homeless and drug-addicted people are already required to work in exchange for benefits, the news that HIV-infected people on welfare would soon also be drafted into workfare was expected, if not entirely welcomed, by AIDS advocates. But some lawyers for people with HIV are taking issue with how the city is carrying out its program. While the program is scheduled to begin sometime this year, tensions over its implementation started in October, after a phone call between Greg Caldwell, an official at the city's Human Resources Administration, and attorney Hayley Gorenberg. According to Gorenberg, who works for Legal Services For New York City and heads the HIV Legal Advocacy Task Force, Caldwell told her the city was planning to cross-check medicaid records documenting the use of HIV medications against its own workfare records to identify able-bodied persons with AIDS for the program. Caldwell, through HRA spokesperson Ruth Reinecke, insists that his statements were misinterpreted. Reinecke says the agency isn't using medicaid records to recruit for its HIV-specific workfare program, but admits that the agency did "an aggregate search" of the medicaid database. That search, she said, revealed that more than 10,000 HIV-positive people might be eligible for the workfare program, without identifying them by name. Reinecke says the city decided against using that information not because of complaints or the federal investigation, but because "we found the search wasn't giving us what we needed." The city now says whatever workfare plan it ends up implementing for people with HIV will be voluntary. (Those deemed disabled will continue to be exempt from workfare requirements under the plan.) But Gorenberg passed her understanding of the conversation—that the city would be searching medicaid records—on to other AIDS advocates. And the information ignited anger and fears about medical privacy that have yet to be resolved. "If this [records search] happened, it's the biggest violation of medical confidentiality in the state's history," says Michael Kink, legislative director for Housing Works, an AIDS housing agency that frequently butts heads with the Giuliani administration. "Using medicaid records for something that has nothing to do with medical care is illegal, improper, and flat-out offensive." Indeed, federal and state law prohibit using confidential medicaid records for nonmedical purposes. And another city plan that would have plumbed medicaid records for evidence of drug use is already the subject of federal and state investigations. HRA has since backed away from that effort. Advocates say that these privacy disputes couldn't come at a worse time, given that the state is beginning a names-reporting program for people with HIV in the next few months. The information collected in that program is supposed to be used only for public health purposes. "But," says Catherine Hanssens, an attorney for the Lambda Legal Defense and Education Fund, the recent dispute over the HIV-specific workfare program "raises issues about how the use of protected information can change from what people understand it is going to be used for." Meanwhile, practical conflicts over putting people with HIV into workfare continue to brew. While HRA says its new program will spare people with HIV outdoor placements in the parks, sanitation, and transportation departments, for instance, some advocates say that making such accommodations won't be enough. "Just because a job is indoors doesn't mean it's necessarily appropriate," says Katie Kelleher, a Legal Aid lawyer who handles disability cases. "Some people's medication schedules require they be near a refrigerator. Or their medication makes them incredibly fatigued and they have to take a nap." HRA's Reinecke insists the program is designed to address just these kinds of special needs (she says the agency has even anticipated the need for refrigerators). But advocates seem far from soothed. Kelleher predicts "disaster" for the program. And Hanssens sums up the city's effort as "mean-spirited." Gorenberg seems to think more dialogue with the city would help. But that's unlikely now. Since the privacy problem, Caldwell, who had met with Gorenberg's HIV Legal Advocacy Task Force in the past, hasn't been in touch with her. "We've been iced out of the experience," says Gorenberg. "Now there's no possibility of doing anything constructive to prepare for what's going to hit our clients." slerner@villagevoice.com Copyright © 2000 Village Voice Media, Inc. From owner-med-privacy@venice.essential.org Wed Mar 1 09:23:58 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from imo-d05.mx.aol.com (imo-d05.mx.aol.com [205.188.157.37]) by venice.essential.org (Postfix) with ESMTP id 40F0C21B0F; Wed, 1 Mar 2000 09:23:58 -0500 (EST) Received: from METRA1001@aol.com by imo-d05.mx.aol.com (mail_out_v25.3.) id 8.68.18bdb38 (4541); Wed, 1 Mar 2000 09:23:52 -0500 (EST) From: METRA1001@aol.com Message-ID: <68.18bdb38.25ee81f7@aol.com> Date: Wed, 1 Mar 2000 09:23:51 EST To: med-privacy-admin@venice.essential.org Cc: med-privacy@venice.essential.org MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 66 Subject: [Med-privacy] Re: Presidential Hopeful abuser of Medical Records?? > MED-PRI- A question of medical privacy and medical ethics... > > Presidential Candidate John McCain, according to one prominent author and > privacy advocate, used his military connections in the late 1980's to access > the (not quite so) confidential military psychiatric and medical history of > one of the Military Officers who testified as a witness to John Tower's > serious drinking problem, during Tower's hearings for Sec. of Defense. > According to Rothfeder, McCain proceeded to READ THE PHYSICIAN'S notes, > and the officer's mental health diagnosis, prognosis, and "dirty laundry" out > loud TO THE SENATE, and directly into the Congressional Record in the late > '80's, bringing a strong question as to McCain's ethics, judgment, and stands > on patients rights, and unauthorized access to medical records. His rather > unorthodox approach in this case also calls into question McCain's reputed > bad temper and his use of tactics of a quesitonable or objectionable nature > in venting his anger. > > According to Author Jeffrey Rothfeder, author of PRIVACY FOR SALE, even > McCain's GOP colleagues accused him at the time of "pouring raw sewage into > the Congressional Record" and 'abusing his unauthorized access to this officer's > medical charts for political gain.' at the time. In "PRIVACY FOR SALE", > Rothfeder alleges that McCain's sole purpose of obtaining the records were to > sully the patient and officer, slander the witnesses name, and use his low > tactic of attacking the witness to defuse reports of Tower's > history of drinking on and off the job, in order to deflect questions away from > Tower's well known alcohol problems, attack the witness, and secure the Sec. of > Defense job for his old pal, Tower, by using the lowest means possible: the misappropriation of confidential medical files without permission, misuse of them, then public reading of excerpts of his own choice, out of context.. > > Rothfeder asserts that proof of the event is IN the Congressional Record > itself, and, as it was presented before the US Senate, had many witnesses, > that were repulsed at the time,because of the brashness, and mean-spiritedness of this 'kind and gentle man' (McCain)... Having not seen the CR for those > dates, I must refer all queries to this story to Rothfeder, who stands by his > comments. > > I believe anyone who wishes to corroborate the thruthfulness of these statements > should have no difficulty reaching Rothfeder, or obtaining his book, or consulting > > Congressional Records thru the Freedom of Information Act, of the proceedings of, > and at, the John Tower for Sec. of Defense hearings in the late 1980's. > > Aside from the obvious privacy violations, this alleged series of events > calls for a number of questions. Would the candidate resort to this again? What is > his view of patient rights, patient privacy and medical confidentiality, and the > ethics of using military and Senatorial connections in order to not only view these > records, but announce them publicly? Would he do the same, if he were able, > to Gov. George Bush, to Al Gore, or to anyone else who rubbed him the wrong > way? > > Just a few unanswered questions.. Please do not shoot the messenger... If you have trouble with this announcement, OR its contents, pls address your complaint, questions, or suggestions to Sen. John McCain, or to author Jeffery Rothfeder, who recently lived in MD. His add and phone can be easily found on the WWW and thru internet white pages... > > Al > > Sender: med-privacy-admin@lists.essential.org > To: med-privacy@venice.essential.org > >> >> From owner-med-privacy@venice.essential.org Mon Mar 6 16:29:22 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id C21C321B02 for ; Mon, 6 Mar 2000 16:29:21 -0500 (EST) Received: from smtp5.mindspring.com (smtp5.mindspring.com [207.69.200.82]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id QAA01327 for ; Mon, 6 Mar 2000 16:29:21 -0500 (EST) Received: from ix.netcom.com (user-2ini9cs.dialup.mindspring.com [165.121.37.156]) by smtp5.mindspring.com (8.9.3/8.8.5) with ESMTP id QAA02179 for ; Mon, 6 Mar 2000 16:27:09 -0500 (EST) Message-ID: <38C4233A.89140EDF@ix.netcom.com> Date: Mon, 06 Mar 2000 13:29:33 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------C5E4AF9861125B97DEBD0D55" Subject: [Med-privacy] HealthKey project This is a multi-part message in MIME format. --------------C5E4AF9861125B97DEBD0D55 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------C5E4AF9861125B97DEBD0D55 Content-Type: text/plain; charset=iso-8859-1; x-mac-type="54455854"; x-mac-creator="4D535744"; name="to med-priv" Content-Transfer-Encoding: 8bit Content-Description: Microsoft Word Document Content-Disposition: inline; filename="to med-priv" [American Medical News] Grant money to fuel Internet privacy policy research Physicians are likely recruits in a five-state project to develop privacy standards for Internet data transmission. By Tyler Chin, AMNews staff. Feb. 7, 2000. ---------------------------------------------------------- A consortium of five statewide community health information organizations has been awarded a $2.5 million grant by the Robert Wood Johnson Foundation to develop confidentiality policies and test security technologies for transmitting sensitive health data over the Internet. Under a project dubbed HealthKey, the consortium will jointly craft privacy and confidentiality policies. Each organization also will individually enlist some of its members -- physician offices, clinics, insurance companies and state government agencies -- to test ways to securely and privately exchange electronic mail, transactions and data through the Internet. Members of the consortium will test what is called public key infrastructure in three areas: secure person-to-person messaging, secure point-to-point transactions from one organization to another and secure role-based access enabling authorized physicians and others to access an organization's clinical and administrative databases. Minneapolis-based Minnesota Health Data Institute, for example, plans to work with the Minnesota Medical Assn. to recruit physicians to test secure messaging with each other and transactions with insurance companies, said John Fraser, institute director of information systems. The institute will use public key infrastructure with electronic directories or white pages, enabling pilot participants to encrypt that information, digitally sign documents and use digital certificates to authenticate and verify users' identities. It also will test simplified sign-on, enabling a physician to access multiple applications by logging onto a network only once, Fraser said. He emphasized that the organizations owning the data will determine who will have access to it. "The concern about data confidentiality is so big right now that we're going to look long and hard at any technology that is out there to assure physicians and their patients that their information will be kept confidential," said Pat Hanson, manager of quality and data at the MMA. [-] In addition to the institute in Minnesota, other members of the HealthKey consortium are the Community Health Information Technology Alliance, part of the Seattle-based Foundation for Health Care Quality, the nonprofit administering the grant; Massachusetts Health Data Institute, Waltham; North Carolina Health Information and Communications Alliance, Research Triangle Park; and Utah Health Information Network, Salt Lake City. The membership organizations promote using standards-based transactions and technologies to ensure interoperability between information systems from different organizations and their trading partners. As they work, HealthKey members will share knowledge and best practices at the HealthKey site (http://www.healthkey.org/). The HealthKey project will benefit health care players in each participant's region; it also could provide a road map for physician offices and other health care organizations as they seek to comply with the Health Insurance Portability and Accountability Act of 1996, said project participants and industry observers. The reason is that HIPAA requires health care organizations to protect the security and confidentiality of e-data, but it does not tell them specifically how to do that, said Françoise Gilbert, a partner at Gray Cary Ware Freidenrich, a Palo Alto, Calif., law firm. The U.S. Dept. of Health and Human Services is scheduled to publish a final rule governing security in May, to be effective in July 2002. HHS hasn't said when it will publish a final privacy rule; however, the rule would be effective 26 months after it is published. After the HealthKey project is over, some of the community networks plan to license or sell their products. These include Minnesota and Utah, which emphasized that they're trying to develop simple, easy and affordable products to help small to medium-sized physician offices and providers deal with the emergence of the Internet as a platform for exchanging health data and HIPAA requirements. Some health care trade associations are undertaking similar work as HealthKey, but their initiatives are narrower in scope, said Laura Ripp, project coordinator of HealthKey. --------------C5E4AF9861125B97DEBD0D55-- From owner-med-privacy@venice.essential.org Mon Mar 6 17:26:00 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb01.eng00.mindspring.net (fb01.eng00.mindspring.net [207.69.229.19]) by venice.essential.org (Postfix) with ESMTP id 901C121B02 for ; Mon, 6 Mar 2000 17:25:59 -0500 (EST) Received: from smtp5.mindspring.com (smtp5.mindspring.com [207.69.200.82]) by fb01.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id RAA27059 for ; Mon, 6 Mar 2000 17:25:59 -0500 (EST) Received: from ix.netcom.com (user-2ini9cs.dialup.mindspring.com [165.121.37.156]) by smtp5.mindspring.com (8.9.3/8.8.5) with ESMTP id QAA32224 for ; Mon, 6 Mar 2000 16:21:08 -0500 (EST) Message-ID: <38C421CF.4554539E@ix.netcom.com> Date: Mon, 06 Mar 2000 13:23:30 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------1F59719459031CB7F6434D65" Subject: [Med-privacy] "AM News" on Fed. rules This is a multi-part message in MIME format. --------------1F59719459031CB7F6434D65 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------1F59719459031CB7F6434D65 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="to med-privacy" Content-Transfer-Encoding: 7bit Content-Description: Netscape Communicatorª Document Content-Disposition: inline; filename="to med-privacy" Content-Base: "file:///6%3A22%3A99/Desktop%20Folder/t o%20med-privacy" AMNews: March 6, 2000 ... American Medical News  
-

Privacy concerns may spark congressional intervention

Critics of the Clinton administration's records privacy proposal take aim at its patient consent provisions and its requirement that physicians oversee their business partners' practices.

By Susan J. Landers, AMNews staff. March 6, 2000.

Washington -- Congress will likely re-enter the contentious medical records privacy debate it had, by default, turned over to the Dept. of Health and Human Services for resolution last summer.

A recent House Ways and Means health subcommittee hearing showcased a wide range of concerns raised by the department's 600-page proposal to establish federal privacy protections for electronically transmitted medical data. HHS released its proposal last fall.

Subcommittee Chair William Thomas (R, Calif.) said he had scheduled the hearing to help determine whether the regulation would "ultimately prove to be workable or whether additional legislation might be necessary."

He received in reply a chorus of requests for Congress to return to the drafting table. 

Even Mary A. Hamburg, MD, HHS assistant secretary for planning and evaluation, called the department's proposal "a foundation."

"We continue to believe that legislation is ultimately necessary if we are to appropriately protect the privacy of the health information of all Americans," she said.

Thomas indicated that lawmakers might renew their push for legislation by pointing to parts of the proposal in need of fixing.

For example, he said a portion of the proposed rule that holds physicians, hospitals and health plans liable for the actions of their "business partners," such as lawyers and auditors, might be a likely area for legislative change.

Thomas also drew attention to the proposal's provision that allows stronger state confidentiality laws to prevail over a federal rule. He suggested that the provision could lead to a "crazy quilt" of federal-state relationships and indicated that it might be better to have a federal rule take priority over state laws.

Congress had tried for three years to draft legislation that would protect medical records privacy while allowing insurers and others sufficient access to patient data. When Congress failed to meet its own deadline for the passage of legislation, statute required that the issue be turned over to HHS for regulation.

Lawmakers retained the right to continue to work on legislation and could decide to change the regulation retroactively.

Congress had set the stage for several of the most contentious provisions -- including those criticized by Thomas -- by restricting HHS's regulatory power. 

For example, Congress dictated that state laws should take priority over a federal rule. It also named only physicians, hospitals and health plans as the entities to be covered by HHS and ignored their myriad partners who are also privy to medical data.

As a result, Dr. Hamburg noted that the proposal exempts certain state laws, and it follows an indirect course to regulating a host of medical information handlers by requiring physicians, hospitals and health plans to monitor their business partners' activities. 

Too far or not far enough?

The volume and diversity of criticism from outside groups at the hearing point to a difficult road ahead for lawmakers interested in forging privacy legislation.

Medical groups and privacy advocates generally said the proposal falls short of protecting personal medical information in some areas, while insurance and business groups argued that it overreaches.

Janlori Goldman, director of Georgetown University's Health Privacy Project, Washington, D.C., told the House panel that the proposal was a "significant step toward restoring the public trust and confidence in our nation's health system," but she urged Congress to fill in the gaps in the proposed rule. For example, she recommended broadening its scope to include all those who "generate, maintain or receive protected health information."

Others, including the AMA, called on Congress to take more wide-ranging action to address what they see as major flaws.

AMA Trustee William Plested, MD, a vascular surgeon from Santa Monica, Calif., faulted the proposal for failing to require explicit patient consent before personally identifiable health information is disclosed.

"My patients assume that the private information they discuss with me will be used to benefit them -- not to benefit anyone else who may find a way to profit from their personal information," Dr. Plested testified.

He also criticized the additional administrative burden that would likely be imposed by a regulation. "The physicians of America are buried in paper, with less and less time to spend with our patients," he said.

The American Psychiatric Assn. joined in warning that the proposal doesn't go far enough to ensure privacy. The psychiatrists also urged that additional protections be placed on mental health records.

On the other hand, Mary R. Grealy, president of the Healthcare Leadership Council, testified that the proposal places too many limits on the uses of patient information and could restrict important health care activities, such as disease management programs. The council represents health plans, hospitals, universities and pharmaceutical companies. 

Deluge could cause delay

The concerns voiced at the hearing represented only the tip of the iceberg. HHS received more than 50,000 public comments by its Feb. 17 deadline.

Given the large volume of responses that must be reviewed, Dr. Hamburg declined to predict to the panel when a final regulation might be ready, although others have made estimates ranging from April to next year. Health care providers would be allowed two years from the publication of a final regulation to comply.

Thomas told Dr. Hamburg that he was concerned about the length of time it might take the department to draft a final regulation, given all the comments that must be examined. As an example of a worst-case scenario, he pointed to the agency's failure to draft a rule for implementing the so-called Stark II self-referral law despite seven years of trying. 

[....]

-
 
--------------1F59719459031CB7F6434D65-- From owner-med-privacy@venice.essential.org Mon Mar 6 17:57:11 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from zoot.east.turner.com (nyc201.turner.com [207.24.85.201]) by venice.essential.org (Postfix) with ESMTP id A3EEF21B02 for ; Mon, 6 Mar 2000 17:57:10 -0500 (EST) Received: from turner.com (nypc236197.turner.com [157.166.236.197]) by zoot.east.turner.com (8.9.3+Sun/8.9.1) with ESMTP id RAA06964 for ; Mon, 6 Mar 2000 17:56:56 -0500 (EST) Message-ID: <38C437A4.AEA02E78@turner.com> Date: Mon, 06 Mar 2000 17:56:37 -0500 From: steve young Organization: cnn X-Mailer: Mozilla 4.7 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Abused Information I'm working on a story to be broadcast by CNN this Wednesday 3/8 on internet privacy issues. I'm eager to talk with anyone who can document the abuse of his/her medical data obtained by others over the internet. In addition to my e-mail steve.young@turner.com other contacts include 212-714-7906 or cellphone 917-816-6842. Time is of the essence as I'm seeking to interviewing one or more folks on camera. From owner-med-privacy@venice.essential.org Thu Mar 9 17:08:41 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 3794321B16 for ; Thu, 9 Mar 2000 17:08:41 -0500 (EST) Received: from ix.netcom.com (user-2ini9au.dialup.mindspring.com [165.121.37.94]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id RAA19476 for ; Thu, 9 Mar 2000 17:08:37 -0500 (EST) Message-ID: <38C8217B.DF9AC03A@ix.netcom.com> Date: Thu, 09 Mar 2000 14:11:10 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] "Safe E-Health" Safe E-Health Requires Patience by Kristen Philipkoski 9.Mar.2000 SAN FRANCISCO -- Investors who believe that respecting patient privacy will prove crucial to the success of online healthcare companies are keeping a cautious eye on their endeavors. Venture capitalists, angel investors, and CEOs discussed the difficult task of making money from all breeds of Internet health companies Wednesday at the Health Internet 2000 conference here. "They're storing all that information in a database somewhere," said Deborah Pierce, staff attorney at the Electronic Frontier Foundation. "My question is: Who has access to that information? Can patients correct it? Can they see it? It's all the fair information practice issues that come up." Pierce said future worries included whether information that patients are looking for on the Web can be traced back to them, as well as the security of databases containing medical information. "It seems like once a week there's some data leak somewhere," she said. "I would imagine that these companies are pretty careful -- but have they done audits of their systems so they know they're really robust?" Dale Sakai, president and CEO of Confer Software said the technology to secure databases exists, but it must be used properly to work. E-care is the final link –- after online medical content providers and e-commerce health companies -- in bringing the entire health care industry online. Companies like Confer provide technology for managing the flow of information from patients to providers to payers to suppliers, Sakai said in a keynote talk at the conference. He said Confer has two patents on database security technologies, and that the company will be fully compliant when the federal Healthcare Information Portability and Accountability Act is rolled out in April. The measure requires the Department of Health and Human Services to adopt national standards for the confidentiality of electronic transmission of certain health information. Companies will have two years to comply with the HIPAA regulations once they are released. "In the area of security, the thing that drives me nuts is that the Internet is a much more secure media than anything else we've had," Sakai said in an interview. "If you mismanage you can have huge security exposures, but if you think it through and put the right use to the right technology to ensure security, it's much better than what we are currently dealing with," he said. Venture capitalists say privacy is both a worry and a business opportunity. Dr. Phillippe Chambon, general partner at Sprout Group in New York, said the need for medical privacy will be a window for businesses that want to provide privacy technologies. "I view that as a major opportunity for some of these businesses to provide the appropriate amount of privacy –- meaning the amount that is chosen by the consumer," Chambon said. "So you and I will decide who cannot access that information and what type of information they can access and so on." Dr. Christopher Kersey, an associate with Menlo Ventures in Menlo Park, California, said consumers' reaction to privacy issues is unpredictable. He said the industry could see something similar to what's happened with the genetically altered food phenomenon. "A really aggressive legislation was written against any unknown factors being introduced into foods," Kersey said. "I don't know whether it's going to happen in healthcare Internet, but boy, people were sure taken by surprise by how aggressive that [GM Foods] lobby was." It's not only the e-health industry that's prompting privacy concerns among consumers, Pierce said, but a growing concern in general about the exposure of private information. The Department of Health and Human Services recently closed a comment period on creating a baseline for privacy regulations. "I think people are starting to be aware that there aren't a lot of remedies for people when their privacy has been invaded," she said. "In the draft-proposed regulations by the Department of Health and Human Services, the floor is so low that the states are saying it's a step, but a very small step. We have to do something to better protect medical records." Many great technologies out there won't be embraced because of privacy issues, said Mark Donovan, a principal at Salix Ventures in San Francisco. "Regardless of how exciting this technology looks you really have to understand the customers," Donovan said. "Is the customer going to be afraid of privacy issues? Absolutely." Copyright © 1994-2000 Wired Digital Inc. From owner-med-privacy@venice.essential.org Fri Mar 10 13:55:01 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from fb00.eng00.mindspring.net (fb00.eng00.mindspring.net [207.69.200.31]) by venice.essential.org (Postfix) with ESMTP id 1B8C021B05 for ; Fri, 10 Mar 2000 13:55:01 -0500 (EST) Received: from ix.netcom.com (user-2ini8db.dialup.mindspring.com [165.121.33.171]) by fb00.eng00.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA25222; Fri, 10 Mar 2000 13:54:57 -0500 (EST) Message-ID: <38C94598.9149DA56@ix.netcom.com> Date: Fri, 10 Mar 2000 10:57:28 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] health info. privacy in WA Patient Bill Of Rights FINAL BILL REPORT 2SSB 6199 As Passed Legislature Brief Description: Adopting a patient bill of rights. [....] Background: "Health carriers" include disability insurers, health care service contractors, and health maintenance organizations. Current law imposes obligations on carriers regarding, among other things, required benefits, information disclosure, emergency care, and gag rules. As managed care emerges as the prevalent method of delivering health care services, concern exists that current requirements are insufficient to allow consumers to make informed decisions and to receive adequate health care treatment. Summary: Numerous requirements are established regarding the structure and operation of health plans by health carriers. Carriers as third-party payers cannot disclose an enrollee's health information except to the extent that health providers can under state law, and must adopt policies to protect an enrollee's right to privacy and confidentiality granted under federal and state law. [....] The act applies to health plans of carriers, the managed care portion of the state's medical assistance programs, the Basic Health Plan, and state employee health benefits, including the Uniform Medical Plan. It applies to all health plans offered or renewed after June 30, 2001. The bill is null and void unless funding is provided in the budget by June 30, 2000. Effective: 90 days January 1, 2001 (Sections 13-16) July 1, 2001 (Section 29) ------ _______________________________________________ SECOND SUBSTITUTE SENATE BILL 6199 _______________________________________________ AS AMENDED BY THE HOUSE Passed Legislature - 2000 Regular Session Sec. 1. PATIENT RIGHTS. It is the intent of the legislature that enrollees covered by health plans receive quality health care designed to maintain and improve their health. The purpose of this act is to ensure that health plan enrollees: [....] (5) Are protected from unnecessary invasions of health care privacy; and (6) Are assured that personal health care information will be use only as necessary to obtain and pay for health care or to improve the quality of care. Sec. 2. HEALTH INFORMATION PRIVACY. Third-party payors shall not release health care information disclosed under this chapter, except to the extent that health care providers are authorized to do [....] Sec. 5. HEALTH INFORMATION PRIVACY. (1) Health carriers and insurers shall adopt policies and procedures that conform administrative, business, and operational practices to protect an enrollee's right to privacy or right to confidential health care services granted under state or federal laws. (2) The commissioner may adopt rules to implement this section after considering relevant standards adopted by national managed care accreditation organizations and the national association of insurance commissioners, and after considering the effect of those standards on the ability of carriers to undertake enrollee care management and disease management programs. [....] From owner-med-privacy@venice.essential.org Sun Mar 12 13:08:55 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 863B621B02 for ; Sun, 12 Mar 2000 13:08:55 -0500 (EST) Received: from ix.netcom.com (user-2ini896.dialup.mindspring.com [165.121.33.38]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA30789 for ; Sun, 12 Mar 2000 13:08:52 -0500 (EST) Message-ID: <38CBDDD4.DE61B3CD@ix.netcom.com> Date: Sun, 12 Mar 2000 10:11:43 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: [Med-privacy] pharm info. privacy JAMA Vol. 283 No. 6, February 9, 2000 Policy Perspectives Uses and Abuses of Prescription Drug Information in Pharmacy Benefits Management Programs Bernard Lo, MD; Ann Alpers, JD A 1998 incident in which patients' prescription information was used to advertise a new drug exemplifies the importance of confidentiality in the era of managed care and computers. The ethical concerns voiced about this incident can also apply to pharmacy benefits management programs. The use of personal health information in pharmacy benefits management is particularly important because of increased pressures to control rising drug costs. Specific confidentiality concerns include whether the goal of benefiting patients will be achieved and whether the means are appropriate. The means may be problematic because of financial conflicts of interest, lack of patient authorization, inappropriate access to information by third parties, and inadequate safeguards for confidentiality. Policies should be crafted that protect confidentiality while allowing appropriate use of personal health information in pharmacy benefits management. Sound policies should require clear evidence of benefit to patients, an oversight committee, patient authorization, disclosure or prohibition of conflicts of interest, additional safeguards for sensitive medical conditions, strong confidentiality protections, and restrictions on advertising. JAMA. 2000;283:801-806 © 2000 American Medical Association. From owner-med-privacy@venice.essential.org Sat Mar 18 20:30:01 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id DA84B21AFF for ; Sat, 18 Mar 2000 20:30:00 -0500 (EST) Received: from ix.netcom.com (user-2ini8gt.dialup.mindspring.com [165.121.34.29]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id UAA31325 for ; Sat, 18 Mar 2000 20:29:58 -0500 (EST) Message-ID: <38D42E4A.2BA59487@ix.netcom.com> Date: Sat, 18 Mar 2000 17:33:05 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] more on proposed rules GROUPS SPLIT OVER GOVERNMENT'S MEDICAL PRIVACY REGULATIONS Patient, doctor groups fear proposed rules don't sufficiently protect privacy of medical information while others fear they will lose access to important data. http://www.medscape.com/Medscape/MoneyMedicine/journal/2000/v01.n02/mm0315.wieb/mm0315.wieb.html From owner-med-privacy@venice.essential.org Sun Mar 19 21:18:44 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id 8DD1521AFF for ; Sun, 19 Mar 2000 21:18:43 -0500 (EST) Received: from 165.121.32.166 (user-2ini856.dialup.mindspring.com [165.121.32.166]) by granger.mail.mindspring.net (8.9.3/8.8.5) with SMTP id VAA24384; Sun, 19 Mar 2000 21:18:40 -0500 (EST) Message-ID: <38D58B39.732E@ix.netcom.com> Date: Sun, 19 Mar 2000 18:21:45 -0800 From: Peter Marshall X-Mailer: Mozilla 2.01E (Macintosh; U; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] more on WA State legislation ................................................................... > American Health Lawyers Association > Health Law Highlights > ................................................................... > Volume 2, Issue 12 March 20, 2000 WASHINGTON STATE ENACTS LEGISLATION ALLOWING ENROLLEES TO SUE HEALTH > PLANS FOR NEGLIGENT TREATMENT > On March 15, Washington State enacted S.B. 6199, a patients' bill of > rights that includes a provision permitting health maintenance organization > ("HMO") members to sue their HMOs for negligent treatment decisions, making > it the fourth state to enact that type of law (following Texas, Georgia, and > California). The legislation provides several basic rights: a fast and > impartial grievance process to resolve healthcare disputes; a timely > external and independent medical review of healthcare disputes; the right to > sue managed care plans if patients believe their managed care system has > harmed them through negligence; the right to get access to information about > healthcare plans; protection from unnecessary invasions of healthcare > privacy; and a health plan medical doctor who is a licensed doctor. > To read the legislation, go to > http://www.insurance.wa.gov/Health/6199pl.htm > ................................................................... > Copyright (c)2000 American Health Lawyers Association > ................................................................... From owner-med-privacy@venice.essential.org Mon Mar 20 18:30:07 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id 0FD0921B20 for ; Mon, 20 Mar 2000 18:30:06 -0500 (EST) Received: from ix.netcom.com (user-2ini8rr.dialup.mindspring.com [165.121.35.123]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id SAA07207 for ; Mon, 20 Mar 2000 18:30:02 -0500 (EST) Message-ID: <38D6B534.1FFF3C1C@ix.netcom.com> Date: Mon, 20 Mar 2000 15:33:45 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] AMNews editorial: "The privacy balancing act" [AMNews] [American Medical News] ---------------------------------------------------------- The privacy balancing act HHS' attempt to strike a balance between patient privacy and administrative simplification seems to have missed both targets. Editorial. March 20, 2000. When Congress enacted the Health Insurance Portability and Accountability Act in 1996, it gave itself a deadline for developing guidelines governing the privacy of patient information for electronically transmitted medical data -- a critical concern in this digital age. Perhaps not surprisingly, Congress failed to meet that deadline; so, under terms of the legislation, the task went to the secretary of Health and Human Services. Late last year, HHS submitted proposed regulations that it said attempted to strike a balance between patient privacy and administrative simplification. Unfortunately, it appears to have missed both targets. In correspondence with HHS and in testimony before Congress -- the latter may well roust itself to intervene -- the American Medical Association has pointed out significant shortcomings in the proposed regulations. Several key areas pose particular concerns, including: * A patient's confidential information could be disclosed without his or her consent for a broad array of purposes not related to his or her individual treatment or payment, and extending far beyond any disclosures or uses that the patient might expect when seeking care. * The proposed regulations would not hold accountable many of the holders of the information who might misuse it, despite the regulations' attempt to compel physicians and other covered entities to exercise oversight. * A physician might be held liable for the uncontrollable misdeeds of "business partners," although the physician was in compliance with the regulations. * There has been no substantive calculation of the administrative burden and costs of implementing the regulations, although it is apparent that physicians -- particularly those in solo practice or small groups -- would bear a disproportionate amount of [-] the cost. [-] * Finally, the 1996 legislation was enacted with the goal of simplifying health care administration and reducing costs; the regulations fail to accomplish this and, at the same time, do not offer patients improved expectations for privacy protection. The growing need to protect the privacy of patients is a direct side effect of the advances in technology that facilitate the exchange of vast amounts of information. Patient information is used by various entities in the health care delivery system, including hospitals and health plans, for purposes far removed from patient care. The financial services reforms legislation enacted last year that allows closer business collaboration among insurance companies, banks and securities firms heightens concerns about potential information on individuals' health status. Patient information, in the aggregate, serves many valuable purposes. However, many entities mistakenly believe that personally identifiable health information should be available for a variety of seemingly compelling purposes without the patient's explicit consent. These entities cite a "need" for such patient information -- a philosophy reflected in the HHS regulations and one the AMA vigorously rejects. The AMA has long adhered to the principle that any health care legislation or regulation should first consider the interests of the patient. The regulations proposed by HHS fall far short of this target. If patient privacy is to be protected, any entity seeking access to patients' confidential medical information should be required to pass a stringent test to demonstrate why its need for the information overrides the basic rights of the patient. Further, the public deserves a full, open discussion of who is seeking their medical information and how it might be used. Although informed consent clearly is not practical in some cases, those situations should be dealt with in one of two ways: either the identifying information should be stripped from it, or an objective and publicly accountable entity should conclude -- after weighing the risks and benefits -- that patient confidentiality is not required. Such an approach would provide a reasonable balance between the interests at stake. From owner-med-privacy@venice.essential.org Fri Mar 24 22:35:46 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id ECB0921B02 for ; Fri, 24 Mar 2000 22:35:45 -0500 (EST) Received: from ix.netcom.com (user-2ini885.dialup.mindspring.com [165.121.33.5]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id WAA15302 for ; Fri, 24 Mar 2000 22:35:43 -0500 (EST) Message-ID: <38DC34D7.25CFCBB5@ix.netcom.com> Date: Fri, 24 Mar 2000 19:39:51 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] what's sauce for the goose.... Computer Privacy Digest Fri, 24 Mar 00 Volume 16 : Issue: 008 From: "Dave Koster" Date: 24 Mar 2000 19:25:19 GMT Subject: Medical Information Privacy Question Should not industries that aquire, transmit, share, exchange, and archive personally identifiable medical information for the purpose of marketing and promotion of their industry's products or services be held to the same HIPAA regulations and subsequent IT/security costs as the Healthcare industry? From owner-med-privacy@venice.essential.org Sat Mar 25 22:40:55 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from web4101.mail.yahoo.com (web4101.mail.yahoo.com [216.115.104.121]) by venice.essential.org (Postfix) with SMTP id 38E2621AFF for ; Sat, 25 Mar 2000 22:40:55 -0500 (EST) Message-ID: <20000326034054.13453.qmail@web4101.mail.yahoo.com> Received: from [216.192.81.56] by web4101.mail.yahoo.com; Sat, 25 Mar 2000 19:40:54 PST Date: Sat, 25 Mar 2000 19:40:54 -0800 (PST) From: Paul Mosher To: med-privacy@lists.essential.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [Med-privacy] New WWW site for psychotherapy privacy information Please check out the WWW site at http://jaffee-redmond.org This site is intended to serve as a sort of "portal" for historical and developing information about the Federal psychotherapist-patient privilege. The FULL TEXT of a number of documents related to the Jaffee v. Redmond case is available via links. There are also several articles on the subject. I have also included several links to comments submitted to HHS on the privacy rule. Paul Mosher __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com From owner-med-privacy@venice.essential.org Sat Mar 25 22:48:01 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from web4101.mail.yahoo.com (web4101.mail.yahoo.com [216.115.104.121]) by venice.essential.org (Postfix) with SMTP id 25C4821AFF for ; Sat, 25 Mar 2000 22:48:01 -0500 (EST) Message-ID: <20000326034800.14379.qmail@web4101.mail.yahoo.com> Received: from [216.192.81.56] by web4101.mail.yahoo.com; Sat, 25 Mar 2000 19:48:00 PST Date: Sat, 25 Mar 2000 19:48:00 -0800 (PST) From: Paul Mosher To: med-privacy@lists.essential.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: [Med-privacy] New WWW site for psychotherapy privacy information Please check out the WWW site at http://jaffee-redmond.org This site is intended to serve as a sort of "portal" for historical and developing information about the Federal psychotherapist-patient privilege. The FULL TEXT of a number of documents related to the Jaffee v. Redmond case is available via links. There are also several articles on the subject. I have also included several links to comments submitted to HHS on the privacy rule. Paul Mosher __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com From owner-med-privacy@venice.essential.org Mon Mar 27 15:52:37 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id 4E81C21B10 for ; Mon, 27 Mar 2000 15:52:37 -0500 (EST) Received: from ix.netcom.com (user-2ini9ai.dialup.mindspring.com [165.121.37.82]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA20859 for ; Mon, 27 Mar 2000 15:52:33 -0500 (EST) Message-ID: <38DFCAE0.88A014F3@ix.netcom.com> Date: Mon, 27 Mar 2000 12:56:24 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------08FD5CE7CA3D9572C26591A1" Subject: [Med-privacy] AAHP comments: Standards for Privacy of Individually Identifiable Health Information This is a multi-part message in MIME format. --------------08FD5CE7CA3D9572C26591A1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Imagine our lack of surprise.... file:///6%3A22%3A99/Desktop%20Folder/AAHP%20comments%20to%20HHS --------------08FD5CE7CA3D9572C26591A1 Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="AAHP comments to HHS" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="AAHP comments to HHS" Content-Base: "file:///6%3A22%3A99/Desktop%20Folder/A AHP%20comments%20to%20HHS" Standards for Privacy of Individually Identifiable Health Information  

February 3, 2000

Re: "Standards for Privacy of Individually Identifiable Health Information"
 
 

I am writing on behalf of the American Association of Health Plans (AAHP) in response to the November 3, 1999, Federal Register proposed rule on "Standards for Privacy of Individually Identifiable Health Information." AAHP is the principal national organization representing HMOs, PPOs, and other network plans. Our member organizations provide or arrange for health care services for approximately 140 million members nationwide.

[....]

Below is a brief overview of the key areas in which we have provided comments.

 Definitions. The proposed rule appropriately recognizes that there are specific uses and disclosures of protected health information that should not require individual authorization. However, these permissible uses appear to omit several activities from the definition of health care operations that are directly related to treatment and payment. These activities would most likely become prohibitively difficult to accomplish if subject to a requirement to obtain separate authorizations.

[....]

Additionally, the definition of identifiable information is too broad while the definition of de-identified information remains too narrow. Contrary to the public goal of encouraging greater use of de-identified information, these definitions appear to require either aggregate or truly anonymous information to meet the threshold of de-identified information, making the safe harbor for de-identified information virtually meaningless.

[....]

Business Partners. The proposed rule makes covered entities responsible for the actions of all of the third parties with which they contract.

[....]

Moreover, given the significant penalties that violators are subject to, it is unreasonable to place disproportionate responsibility on plans and providers for the acts of businesses with which they contract but do not control.

[....]

Additionally, the inclusion of individuals as intended third party beneficiaries in contracts between covered entities and business partners could expose covered entities to extensive liability for the actions of their business partners. This is in direct conflict with the intent of HIPAA that civil and criminal penalties - and not a private cause of action -- be the applicable sanctions.

Restrictions to Allowable Uses and Disclosures. The proposed rule requires plans and providers to make reasonable efforts to use and disclose no more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure. While this appears on its face to be a common sense approach, its implementation raises serious concerns about patient care.
 

[....]

Similarly, the proposed rule permits individuals to request of their plan or provider that certain restrictions or limitations on the use and disclosure of their protected health information be followed. While the plan or provider is under no obligation to agree to such requests, this raises the concern that a covered entity could agree to a restriction that may affect the activities of other covered entities that have not agreed to the restriction.

Right to Access and Amend. AAHP supports the ability of individuals to access their protected health information and request that their information be appended. However, we have several concerns with the way these provisions are currently structured which we discuss in detail in the attached comments.

[....]

Additionally, the ability of individuals to request amendment to their protected health information should not result in deletions or alterations to the original information. Such actions are contrary to current practice and undermine the integrity of the medical record. A more appropriate right would be to append one's protected health information, since this term more accurately describes the intent of the provision.

[....]

Administrative Costs. Finally, we recognize that strong confidentiality protections come at a cost. However, we believe that the Department's regulatory impact analysis significantly underestimates the cost implications of the proposed rule.

[....]

Richard I. Smith

Vice President, Public Policy and Research
 

Kristin Stewart

Director, Private Market IssuesPreemption of State Law(§160.203 and §160.204)

Issue: The proposed rule does not (and cannot) provide for complete federal preemption of state laws and, as a result, the rule exacerbates the current problem of complying with differing and inconsistent standards.

[....]

Recommendation: A single, clear and uniform body of law should govern the confidentiality of individually identifiable health information.

[....]

--------------08FD5CE7CA3D9572C26591A1-- From owner-med-privacy@venice.essential.org Wed Mar 29 13:30:03 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from freedom.mtn.org (freedom.mtn.org [198.174.235.1]) by venice.essential.org (Postfix) with ESMTP id ADEA421B0C for ; Wed, 29 Mar 2000 13:30:02 -0500 (EST) Received: from [198.174.167.160] (dial-160.mtn.org [198.174.167.160]) by freedom.mtn.org (8.9.3/8.9.3) with ESMTP id MAA10574 for ; Wed, 29 Mar 2000 12:30:01 -0600 Mime-Version: 1.0 X-Sender: twila@mtn.org Message-Id: Date: Wed, 29 Mar 2000 12:31:54 -0600 To: med-privacy@venice.essential.org From: Twila Brase Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: [Med-privacy] Question I received an email saying that a 1993 federal law allows sharing of information between government agencies. The person could not remember the name or number of the law. Any ideas? This is what my contact said: >The 1993 law says that information in ANY government agency MUST BE >SHARED with any other government agency upon receiving a request for >such information from the other agency. Since 1993, all it has taken is >an agency-to-agency telephone call to destroy whatever "privacy" you may >have felt you had left. If you have any information, please let me know. Thank you. Twila Brase, R.N. President, CCHC ************************************************************* "a citizens resource for designing the future of health care" ************************************************************* Citizens' Council on Health Care 1954 University Ave.W., Suite 8 St. Paul, MN 55104 651-646-8935 phone 651-646-0100 fax http://www.cchc-mn.org From owner-med-privacy@venice.essential.org Wed Mar 29 16:36:15 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 186BA21B09 for ; Wed, 29 Mar 2000 16:36:15 -0500 (EST) Received: from ix.netcom.com (user-2ini9db.dialup.mindspring.com [165.121.37.171]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id QAA15660 for ; Wed, 29 Mar 2000 16:36:12 -0500 (EST) Message-ID: <38E27823.F0C88DC7@ix.netcom.com> Date: Wed, 29 Mar 2000 13:40:18 -0800 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------5D18DC05EB826285B5138AAE" Subject: [Med-privacy] [Fwd: FTC Joint Venture Guidelines] This is a multi-part message in MIME format. --------------5D18DC05EB826285B5138AAE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Implications for data sharing in health services environments...? Peter Marshall ------ --------------5D18DC05EB826285B5138AAE Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from venice.essential.org ([216.0.124.17]) by mail00.dfw.mindspring.net (Mindspring/Netcom Mail Service) with ESMTP id se4nv2.r9o.33qs884 Wed, 29 Mar 2000 14:56:16 -0500 (EST) Received: from venice.essential.org (localhost [127.0.0.1]) by venice.essential.org (Postfix) with ESMTP id 2619821B0C; Wed, 29 Mar 2000 14:51:05 -0500 (EST) Delivered-To: info-policy-notes@venice.essential.org Received: from genoa.essential.org (genoa.essential.org [216.0.124.11]) by venice.essential.org (Postfix) with ESMTP id C040421B0C for ; Wed, 29 Mar 2000 14:41:00 -0500 (EST) Received: from cptech.org (jamie.essential.org [216.0.124.36]) by genoa.essential.org (8.9.3/8.9.3) with ESMTP id OAA32270 for ; Wed, 29 Mar 2000 14:41:00 -0500 Message-ID: <38E25D1A.6F0279B1@cptech.org> Date: Wed, 29 Mar 2000 14:44:26 -0500 From: James Love Organization: http://www.cptech.org X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686) X-Accept-Language: en MIME-Version: 1.0 To: info-policy-notes Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [IPN] FTC Joint Venture Guidelines Sender: info-policy-notes-admin@lists.essential.org Errors-To: info-policy-notes-admin@lists.essential.org X-Mailman-Version: 1.1 Precedence: bulk List-Id: Notes on Information Policy issues from CPT X-BeenThere: info-policy-notes@lists.essential.org Today I testified in the House Judiciary Committee on antitrust issues in the oil and gas industry. My testimony focused on the issue of collaborations between competitors, and the FTC joint venture guidelines. We said these were important issues for other industries, including the pharmaceutical, telecommunications and software industries, where firms are competitors in some markets, and partners or collaborators in other markets. We have asked for changes in the Horizontal Merger guidelines to reflect the importance of collaborative agreements on measures of market concentration, and to routinely require public disclosure of such agreements on the Internet, as part of the Hart Scott Rodino process. Jamie Love http://www.cptech.org/at/oil/mar29-2000-opec.html ======================================================= James Love, Director | http://www.cptech.org Consumer Project on Technology | mailto:love@cptech.org P.O. Box 19367 | voice: 1.202.387.8030 Washington, DC 20036 | fax: 1.202.234.5176 ======================================================= _______________________________________________ Info-policy-notes mailing list Info-policy-notes@lists.essential.org http://lists.essential.org/mailman/listinfo/info-policy-notes --------------5D18DC05EB826285B5138AAE-- From owner-med-privacy@venice.essential.org Wed Mar 29 15:43:40 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from tomts2-srv.bellnexxia.net (tomts2.bellnexxia.net [209.226.175.140]) by venice.essential.org (Postfix) with ESMTP id 99F1A21B10 for ; Wed, 29 Mar 2000 15:43:39 -0500 (EST) Received: from HSE-Toronto-ppp116480.sympatico.ca ([216.209.80.45]) by tomts2-srv.bellnexxia.net (InterMail vM.4.01.02.17 201-229-119) with ESMTP id <20000329204338.BTZQ911.tomts2-srv.bellnexxia.net@HSE-Toronto-ppp116480.sympatico.ca> for ; Wed, 29 Mar 2000 15:43:38 -0500 Date: Wed, 29 Mar 2000 15:46:30 -0500 From: Andrew I Busigin X-Mailer: The Bat! (v1.41) Personal Reply-To: Andrew I Busigin X-Priority: 3 (Normal) Message-ID: <0657.000329@sympatico.ca> To: med-privacy Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Privacy legislation I have seen so many postures now on the issues of privacy, and data sharing, and arguments based on technical reasons, that I want to gag. Let me ask a question that cuts to the quick... Who here among us believes that the need for privacy in the digital age is important enough to warrant a constitutional amendment? After all aren't we supposed to look to the constitution to assure of our unalienable rights to resist oppression? Is not the threat of digital intrusion upon our identities and private matters every bit as much an oppression as religious persecution was in the eyes of the founding fathers? I for one believe that we are almost ready technologically for a solution to our problems, but the underlying principles we need to guide us are nowhere to be found in the constitution. The constitution is precisely the correct document that we need to state the basic principles in. If you want to e-mail me your Ayes/Nayes, then I will report the tally. Please reply with just an Aye or Nay in the subject line. We can debate this openly, but a tally of respondents might be a useful guiding statistic. -- Cheers! Andrew mailto:a.busigin@sympatico.ca From owner-med-privacy@venice.essential.org Mon Apr 3 14:03:55 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 3CB0921AFF for ; Mon, 3 Apr 2000 14:03:55 -0400 (EDT) Received: from ix.netcom.com (user-2ini997.dialup.mindspring.com [165.121.37.39]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id OAA31499; Mon, 3 Apr 2000 14:03:46 -0400 (EDT) Message-ID: <38E8DDD8.3176ED4F@ix.netcom.com> Date: Mon, 03 Apr 2000 11:07:23 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms5CBB470F2E445F86B3DF8033" Subject: [Med-privacy] comments on draft med-privacy rule online This is a cryptographically signed message in MIME format. --------------ms5CBB470F2E445F86B3DF8033 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit 5. DHHS POSTS ELECTRONIC COMMENTS ON DRAFT PRIVACY RULES The Department of Health and Human Services ("DHHS") has posted on its Web site comments that the agency received electronically on the draft privacy rule. Go to http://aspe.hhs.gov/admnsimp/index.htm to see the comments. [via "Health Law Highlights"] --------------ms5CBB470F2E445F86B3DF8033 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIJ7AYJKoZIhvcNAQcCoIIJ3TCCCdkCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B+4wggS4MIIEIaADAgECAhBi6j1NYUGgQJ2v5VSwWQn1MA0GCSqGSIb3DQEBBAUAMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAwMDQwMTAwMDAw MFoXDTAxMDQwMTIzNTk1OVowggEXMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO ZXRzY2FwZSBGdWxsIFNlcnZpY2UxFzAVBgNVBAMUDlBldGVyIE1hcnNoYWxsMSUwIwYJKoZI hvcNAQkBFhZ0ZWNoZGlmZkBpeC5uZXRjb20uY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJB AK63ao+V2WjWwuphXyJRU12xilF25OJItndPfBY4EkL4LSHu/P0hYOg+R1qOUiEWhV3h9JkC ck/bghnVuRgpIo0CAwEAAaOCAY8wggGLMAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYL YIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D UFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQ UyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCG SAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNmMjA0NzAyOTI5ODc2 M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3NDdkYTVkM2YyMTQxYmVh ZGIyYmQyZTg5MjFmYTU2YWYxZDMxMTQ4OWVhMmJmNDZmOGYzZWE0NTBjMDMGA1UdHwQsMCow KKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEE BQADgYEABc6CCeuVAFdSm1momZ4d8dPQ6fYZV2Qf/BzZIJT0DYwqgoBeHGSRPPW+8FuG8Dv+ xob6YHwEL6K0gfBpZFMThRjU+WvQ3YV1UehO/M5V6s+/kOqSTnqgiTbNh26zqAwz+rwJn4es 2qtHt1B10aW8RvA6l8UmDdX8nD7HlqN0/50wggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVd r+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24s IEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCBzDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNV BAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJ QUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBT dWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqBS7lIE1Yt xwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc48zG mo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkq hkiG9w0BAQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5 SYWklfEXfWe0fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVga STyQXFWjZSAA/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAcYwggHCAgEBMIHhMIHMMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5 IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhBi6j1NYUGgQJ2v5VSw WQn1MAkGBSsOAwIaBQCgfTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ BTEPFw0wMDA0MDMxOTA3MjhaMB4GCSqGSIb3DQEJDzERMA8wDQYIKoZIhvcNAwICASgwIwYJ KoZIhvcNAQkEMRYEFJcXGtKr+IzUAJVCk6zMIXZfDckKMA0GCSqGSIb3DQEBAQUABEAggpQj NouZHyA9lplMmXdiHdQWP04Ab//f1XTymn3lLwVzQP0NdDQ5huJ+g0BFkcloJZxR+SIglVsE QjA3Jw3v --------------ms5CBB470F2E445F86B3DF8033-- From owner-med-privacy@venice.essential.org Tue Apr 4 04:04:32 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from netcom.com (netcom13.netcom.com [199.183.9.113]) by venice.essential.org (Postfix) with ESMTP id 68E7821AFF for ; Tue, 4 Apr 2000 04:04:32 -0400 (EDT) Received: from localhost (aaa@localhost) by netcom.com (8.9.3/8.9.3) with ESMTP id BAA25256; Tue, 4 Apr 2000 01:04:27 -0700 (PDT) Date: Tue, 4 Apr 2000 01:04:26 -0700 (PDT) From: To: Peter Marshall Cc: med-privacy@venice.essential.org In-Reply-To: <38E8DDD8.3176ED4F@ix.netcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: [Med-privacy] a wish to unsubscribe from the list How do I unsubscribe from the list thanks From owner-med-privacy@venice.essential.org Tue Apr 4 23:23:05 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id 7768521AFF for ; Tue, 4 Apr 2000 23:23:05 -0400 (EDT) Received: from ix.netcom.com (user-2ini8ad.dialup.mindspring.com [165.121.33.77]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id XAA08153 for ; Tue, 4 Apr 2000 23:23:00 -0400 (EDT) Message-ID: <38EAB27F.8D1923B2@ix.netcom.com> Date: Tue, 04 Apr 2000 20:26:59 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------E6B0AA4EDD7777981798C4C3" Subject: [Med-privacy] National CPR This is a multi-part message in MIME format. --------------E6B0AA4EDD7777981798C4C3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit file:///6%3A22%3A99/Temporary%20Items/nscomm40/tmp/tmp1/edt1.html --------------E6B0AA4EDD7777981798C4C3 Content-Type: text/html; charset=iso-8859-1; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="edt1.html" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="edt1.html" Content-Base: "file:///6%3A22%3A99/Temporary%20Items/ nscomm40/tmp/tmp1/edt1.html" Welcome to National CPR's WWW Site   =

3D=
 

This year could be the year our m= edical privacy is
won or lost! The administration is poised to
enact final privacy regulations and
Congress could still enact harmful legislation.

National CPR urges stronger medical-privacy rules.

Read our comments
Read our press release
Read what other privacy advocates are saying

National = CPR Releases
White Paper on Medical-Records Privacy=


 
 
 
 
 
Financial Services bill bad for = privacy.
Tell Congress NOW.

The Surgeon General's
Report on Mental Health

* How CPR Contributed
* Confidentiality Chapter
* Full Text

CPR testifies in Congress

Mass. Men= tal-Health "Parity" Bill
Repeals = Strong
Privacy Protections

Alert: Insurance companies mobilize against Mass. 
privacy = bill.
Click here to speak out.

Legislative Scorecards
U.S. Senate
U.S. House


 

For the latest news about medical= privacy, look at these breaking stories.

106th Congress  considers privacy issues.

 
3D"back


 <= /TD>
©1998-1999
National CPR=
9 Bartlet Street, PMB 144, Andov= er, Massachusetts 01810-3884
phone / fax: 888-44-PRIVACY
eMail: ncpr@nationalcpr.org

 
--------------E6B0AA4EDD7777981798C4C3-- From owner-med-privacy@venice.essential.org Thu Apr 6 18:22:17 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id A587521B09 for ; Thu, 6 Apr 2000 18:22:16 -0400 (EDT) Received: from ix.netcom.com (user-2ini9ae.dialup.mindspring.com [165.121.37.78]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id SAA03374 for ; Thu, 6 Apr 2000 18:22:14 -0400 (EDT) Message-ID: <38ED0F07.E017EACF@ix.netcom.com> Date: Thu, 06 Apr 2000 15:26:22 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] "Health Privacy" at CFP2000 conference CFP2000 Hot Topics: Health Privacy Moderator: Ari Schwartz, Center for Democracy and Technology, MedicaLogic Inc. Peter Swire, Chief Privacy Counselor, US Office of Management and Budget Angela Choy, Georgetown Health Privacy Project Rebecca Daugherty, Reporters Committee for the Freedom of the Press From owner-med-privacy@venice.essential.org Sat Apr 15 19:09:40 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id C244021AFF for ; Sat, 15 Apr 2000 19:09:39 -0400 (EDT) Received: from ix.netcom.com (stl-wa35-42.ix.netcom.com [207.220.42.42]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id TAA23129 for ; Sat, 15 Apr 2000 19:09:35 -0400 (EDT) Message-ID: <38F8F7BE.33033B7B@ix.netcom.com> Date: Sat, 15 Apr 2000 16:14:11 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] medical info privacy of NC drivers SECRET PANEL DECIDES WHO CAN DRIVE by Dana Davis, The Asheville Tribune, Asheville, North Carolina A woman recently visited a local DMV branch to notify them of a change of address and requested an updated driver's license to indicate as such. What she got was much more than she bargained for. When Sylvia English, 39, single, and no children, went to the East Asheville branch of the NC Department of Motor Vehicles (DMV) to update her driver's license she did not realize that she needed her social security card. Upon finding out, English says she vocalized her disapproval to the DMV examiner. The examiner explained to her that all applicants seeking a driver's license, regardless of their record, are to provide their social security number as mandated by President Clinton's Executive Order 13019, issued on Sept. 28, 1996, supposedly designed to keep track of 'dead-beat' parents. English did not have her social security card with her, so she had to return the next day with it. Upon English's second examination with the E. Asheville DMV, she claims she was asked questions which were agitating to her. English said DMV Examiner Creasman asked her in depth questions about her physical health, mental health, and if she was registered to vote. Examiner Creasman abruptly ceased communication when contacted by The Asheville Tribune. However, Examiner Hyder from the West Asheville branch said that the DMV is required to ask all applicants if they suffer from any health problems. If the examiner is not too busy, Hyder said there is a list of specific questions regarding someone's health, as it relates to their ability to drive, that an examiner can choose to ask the applicant. Therefore, according to Hyder, it is not odd that Creasman asked English these questions. Regardless, English says she answered all of the questions and provided all information and identification that was asked of her by Examiner Creasman. Though, she admits that she did so with obvious disgust because she felt the questioning to be invasive, and, after all, she only wanted to change her address. Creasman granted English the updated license, but not without a hitch. On May 7, English received a letter from DMV officials in Raleigh instructing her to complete and return a ten-page medical evaluation within 30 days or else her license would be canceled due to a medical incapacity to drive safely. Furthermore, completion of the report requires that she provide her signature. But the only place on the entire form that allows for English's signature succeeds the following paragraph: "I hereby authorize Dr. ______________ to give any examination he deems necessary for the purpose of determining my physical fitness to operate a motor vehicle. I also authorize any other physicians who attended me, or any hospital or clinic in which I have been examined or treated, to give the Division of Motor Vehicles or its representative any information they may request concerning my condition. I understand this authorization includes permission for this information to be reviewed by a panel of unidentified physicians for the purpose giving the Division a medical opinion on my case. SIGNATURE OF APPLICANT__________________" English says she considers herself an 'open' person and has no problem allowing her doctor to conduct a physical exam to determine if she can drive a car safely. What English adamantly objects to is giving the DMV access to her entire medical history, to be freely scrutinized by a 'panel of unidentified physicians.' When Examiner Hyder was asked if he would sign such a report, authorizing the DMV to view his complete medical history, he responded, "I would have no problem signing the medical report if I didn't have anything to hide." English says she doesn't have anything to hide. According to English, she has no insurance points, has not been in an accident, and in 33 years of driving, has received only one ticket - a DUI in 1993. She received the required physical from her doctor, but she feels the DMV's evaluation is unreasonably invasive and unjust, and she does not understand why she must grant them permission to secretly peer into her entire life. Incidentally, the page requiring the signature also has an unidentified bar-code at the bottom. Hyder explained that DMV appointed physicians who study an applicant's medical report are to remain unidentified to protect themselves from any possible danger in case they determine an applicant is unfit to have a driver's license. He guessed that the bar-code is probably a way to keep track of a person's file. Legal expert Tim Hanley said he would not sign the form and added that he would look into suing the DMV examiner who recommended the medical report for deprivation of rights, Title 42, Section 1983 (Rights to Privacy). Hanley suggests that Creasman may be violating English's right in this regard since she has not committed an infraction and has not given Creasman nor the DMV a reason to issue the medical report. But did English give Creasman a reason to recommend a DMV evaluation? According to Hyder, N.C. statutes 20-29.1 require a DMV examiner to request a medical evaluation if they are given any reason to question an applicant's ability to drive safely. "The power given to (the examiner) from a five minute evaluation is not right," English said. Hanley posed the question, "What makes this guy a medical authority?" Wayne Herder, Director of Driver's License Certification for N.C. responded, "Our examiners are trained to look for any indication that would determine whether this driver is unsafe." When English was asked why she thought the DMV questioned her ability to drive, she responded, "I'm not sure. I was in dirty clothes, made fun of certain things, and was effervescent." She admitted to being somewhat belligerent at the notion of answering some of Creasman's questions, which she believed infringed upon her privacy, but said she cooperated anyway. Herder stated that the examiner must have a good reason to recommend an extensive evaluation for English. "I'd be very surprised if an examiner requested a medical report form out of spite. It has not happened, that I know of, in the five years I've been director." Is English incapacitated in some way, physically, that would prevent her from driving safely? Her doctor does not think so. According to the exam, English has perfect eye sight and hearing, sound muscle control and reflexes, complete use of all her extremities, and suffers from no impairment or disorders to speak of. And what about English's mental stability? According to long-time acquaintance Dr. Emir Neshat, "She's very reliable. If she has any mental health problems I don't know about it, and I've known her for at least fifteen years." Neshat goes on to say, "She is a very independent person and objects to prying. She's well-read and politically aware and that frightens some people." Judy Whitley has known English for ten years and says that English is probably smarter than most and drives better than most of the people she knows. She adds that if English is deficient in any way then it is an intolerance for incompetence. So, why is it the responsibility of a perfectly capable driver, with an almost flawless driving record, to prove to the DMV their ability to drive safely, and not the DMV's responsibility to prove that the driver is unsafe? "Because under state law, driving is a privilege, not a right, and it's the state's job to ensure that drivers are capable," Herder stated. Hanley confirmed that Herder's statement is correct. He explained that the only way a U.S. citizen could operate an automobile without a license would be to have no title (because a car title actually gives the state ownership of the car), remove the vehicle identification number and report to the state that there is a total loss. In that case, Hanley says someone could make the argument that the vehicle is their personal property used to exercise one's pursuit of happiness. In questioning English's capability to drive, Herder said that the DMV examiner must give reasons why, in addition to answering a series of specific questions related to the applicant's ability to drive. However, only the particular applicant can request that information, and the examiner's evaluation of English was unavailable as of press time. Meanwhile, time is dwindling for English, who agreed to the physical but refuses to give her signature to anything more. English says she is considering establishing residence in Tennessee so that she may attain a Tennessee driver's license. However, Hyder said that English would have to get a Tennessee license before the 30 days were up and when it came time for renewal she would be denied no matter what state she was in. Copyright 1999, The Asheville Tribune. ------------------------------- From owner-med-privacy@venice.essential.org Sun Apr 16 12:55:42 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp10.atl.mindspring.net (smtp10.atl.mindspring.net [207.69.200.246]) by venice.essential.org (Postfix) with ESMTP id 270C721AFF for ; Sun, 16 Apr 2000 12:55:42 -0400 (EDT) Received: from ix.netcom.com (user-2ini8c5.dialup.mindspring.com [165.121.33.133]) by smtp10.atl.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA16477; Sun, 16 Apr 2000 12:55:39 -0400 (EDT) Message-ID: <38F9F19D.34E0558B@ix.netcom.com> Date: Sun, 16 Apr 2000 10:00:15 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------5E31051F78664FD094366F2A" Subject: [Med-privacy] criticism of proposed med-privacy rules This is a multi-part message in MIME format. --------------5E31051F78664FD094366F2A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------5E31051F78664FD094366F2A Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from admin.listbox.com ([208.210.124.36]) by mail01.dfw.mindspring.net (Mindspring/Netcom Mail Service) with ESMTP id sfjlaq.uhq.33qs885 Sun, 16 Apr 2000 10:59:37 -0400 (EDT) Received: by admin.listbox.com (Postfix) id A1CBB279A1; Sun, 16 Apr 2000 10:59:14 -0400 (EDT) Delivered-To: ip-sub-1-outgoing@listbox.com Received: by admin.listbox.com (Postfix, from userid 509) id 9A20127879; Sun, 16 Apr 2000 10:59:14 -0400 (EDT) Delivered-To: ip-sub-1@majordomo.pobox.com Mime-Version: 1.0 X-Sender: farber@linc.cis.upenn.edu Message-Id: Date: Sun, 16 Apr 2000 10:59:07 -0400 To: ip-sub-1@majordomo.pobox.com From: David Farber Subject: IP: Groups Warn of Breaches in Privacy Laws for Patients Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ip-sub-1@admin.listbox.com Precedence: list Reply-To: farber@cis.upenn.edu http://www.washingtonpost.com/wp-dyn/nation/A21639-2000Apr15.html By Susan Okie Washington Post Staff Writer Sunday, April 16, 2000; Page A02 Doctor groups and privacy advocates have charged that new government rules, touted as protecting patients' confidentiality, will instead make it easier for employers, researchers, law enforcement officials, the federal government and others to gain access to people's medical records without their consent. The Department of Health and Human Services is reviewing some 53,000 public comments on the proposed regulations, which were announced last fall and are expected to be issued in final form sometime in the next few months. The new rules, mandated by Congress, represent the first federal effort to safeguard the privacy of medical records. When President Clinton unveiled them last fall, he said, "They would greatly limit the release of private health information without consent." But by eliminating the requirement for patient consent in many situations, the rules would have the opposite effect, predicted Richard Sobel, a political scientist at Harvard Medical School. The administration "stressed the privacy protections," Sobel said. "But . . . it turns out that these regulations essentially abolish informed consent" if a patient's medical records are being used for providing treatment, arranging payment or for "health care operations," an ill-defined term that covers many activities of managed-care plans and health insurers. In addition, under some circumstances, the rules would permit health providers to release private medical information without obtaining a patient's consent to police, employers, researchers and government data banks. --------------5E31051F78664FD094366F2A-- From owner-med-privacy@venice.essential.org Mon Apr 17 13:48:45 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by venice.essential.org (Postfix) with ESMTP id DAE3021B02 for ; Mon, 17 Apr 2000 13:48:44 -0400 (EDT) Received: from ix.netcom.com (stl-wa35-32.ix.netcom.com [207.220.42.32]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA07961 for ; Mon, 17 Apr 2000 13:48:42 -0400 (EDT) Message-ID: <38FB4F90.5693031B@ix.netcom.com> Date: Mon, 17 Apr 2000 10:53:28 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] AMA v. Treasury proposal [AMNews, AMA, 4/24/00] Treasury proposal leaves records bare The AMA charges that a new Treasury Dept. proposal fails to adequately protect medical information found in a wide range of financial products, including life and health insurance. - April 24 From owner-med-privacy@venice.essential.org Mon Apr 17 14:44:35 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by venice.essential.org (Postfix) with ESMTP id 2CA9C21B06 for ; Mon, 17 Apr 2000 14:44:35 -0400 (EDT) Received: from ix.netcom.com (stl-wa35-32.ix.netcom.com [207.220.42.32]) by smtp6.mindspring.com (8.9.3/8.8.5) with ESMTP id OAA03028 for ; Mon, 17 Apr 2000 14:44:26 -0400 (EDT) Message-ID: <38FB5C9F.34355A0C@ix.netcom.com> Date: Mon, 17 Apr 2000 11:49:17 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Docs' personal info. gets online Doctors shaken to find personal data on the Web Posted at 6:46 p.m. PDT Sunday, April 16, 2000 BY KRISTI HEIM Mercury News Staff Writer Fremont family doctor Susan Hsu rarely gives out her home address, but she made an exception to receive her license and other mailings from the California Medical Board. Little did she know that information would later be sold by the board and posted on the Web. While searching the Internet a few weeks ago to find information for a patient, Hsu was shocked to see her home address in the Health Pages, a directory consumers can use to find doctors within the WebMD Health site. Hsu's residential address appeared in the place of a second office address. ``It's such an invasion of privacy,'' she said, adding that she checked the names of a dozen colleagues and found the same problem in many of those listings. ``We as physicians do a lot to protect ourselves and then to find information like that available to anyone, I was pretty upset over it.'' The blunder -- the second time home addresses of doctors were posted on the Web -- occurred after a public records database of the more than 100,000 physicians licensed in the state was sold by the medical board to the Pacific Business Group on Health, which in turn sold it to New York-based Health Pages. The board and the companies have since taken steps to correct the problem and posted a revised list Thursday. But the experience shows how personal data that people casually fill out on forms can turn up in front of an audience of millions on the Web. Doctors had given their home addresses to the state as the place where they preferred their licenses be mailed. Hsu and others say they had no idea the data would be made public and sold to online database companies. The board says it is required by law to provide the address of any physician in the state upon request, and it had alerted doctors about this in a memo and several newsletters. Individual names, addresses and phone numbers have long appeared in telephone directories, and those have become ubiquitous on the Web as sites race to attract visitors. But doctors and judges, concerned about potential harassment from convicted criminals, psychiatric patients, abortion foes or others, have fought against making their mailing addresses public. For several months in 1997, the medical board stopped posting addresses after it received 41,000 requests from doctors seeking to remove their home addresses from a public database, board spokeswoman Candis Cohen said. Posted on internal site The problem surfaced in 1997 after the medical board put its entire database of license information on its own Web site. The Union of American Physicians & Dentists protested the posting of home addresses, saying it jeopardized the safety of doctors. The board took those addresses off the site temporarily to give doctors time to switch their home address on file to an office address or post office box, Cohen said. But files containing doctors' home addresses could have been sold to a number of companies before that time, said Julie Williams, the medical board's data processing manager. It's difficult to know which companies now have the data, and which may be posting home addresses on the Web. Last year the board processed 168 requests for lists of doctors from health agencies, researchers, marketing firms and even a day spa. The board charges three cents per name. ``Legally we have to provide it, and we have to recoup our costs,'' Williams said. The board, which operates as part of the state's Consumer Services Agency, gives consumers information about doctors, including their license, education, address and any complaints filed against them. The information is updated twice a month. ``The nearest we can figure, they were using an older database and never bothered to update it,'' Williams said, adding that the board gave Health Pages new records as soon as they discovered the problem. ``If you're going to provide it, you have some responsibility to make sure it's accurate.'' Still, that doesn't do much to allay doctors' fears. ``My concern is that I found this out by accident,'' Hsu said. ``Who's to say what other Web sites contain our home addresses without our knowledge or consent?'' The latest online privacy debacle comes at a time when many doctors are already skeptical about using the Web for medical purposes. A recent American Medical Association survey found that fewer than 40 percent of doctors use the Internet as part of their practice, citing time constraints and a lack of useful services. The incident also raises questions about who is responsible for information posted on the Internet -- the source or the host. In this case, neither the companies involved nor the state medical board sent an alert to doctors that their home addresses might be on the Web by mistake. ``Every database is going to have its inaccuracies,'' says Martin Schneider, president and CEO of New York-based Health Pages, noting that the company performs spot checks as often as possible. The site lets doctors edit their own information or delete their listings entirely, he added. ``Other than making changes when we're contacted by a doctor, I'm not sure how else we could safely change an address,'' said Robin Palley, senior vice president of WebMD Health in Atlanta. The site (www.webmd.thehealthpages.com) contains databases listing half a million doctors nationwide, she said, but no other states have reported any problems. WebMD Health began licensing space to Health Pages last June. The medical board states on the sixth page of its license renewal instructions that ``California law requires the Board to provide, upon request, an address of the physician . . . A physician should carefully consider the address of record he or she provides to the Board, and may wish to utilize the physician's home or office address or (a post office box or other address).'' But Hsu, who obtained her license in 1996, said ``there was no disclosure statement at all.'' After moving from Sacramento to Fremont, she said she even wrote a letter to the board in 1998, stating, ``I do not want my street address disclosed to the public.'' Ingrid Antall, another family physician in Fremont, also said her home address was posted on the Internet without her knowledge. She said she didn't receive any notice about the address becoming public when she applied for her license in early 1998. ``I don't have a listed number,'' she said. ``I had hoped doing that would make my address less accessible, but apparently it doesn't.'' Correction made Jay Thorwalbson, public affairs director of Palo Alto Medical Foundation, contacted the Web companies after receiving complaints from Antall and other doctors who work for the foundation. He said both Health Pages and Healtheon WebMD were quick to act to correct the problem. But the larger issue is about health practitioners losing control of their information, he said. ``Apparently we don't have a choice about whether or not we're in the database,'' he said. ``We said we don't want to be part of it. So they went out and got it from public records.'' While it's not a privacy violation to post on the Web information that's publicly available elsewhere, ``it's a different kind of access,'' noted Joy Pritts, senior counsel with the Health Privacy Project at Georgetown University. ``If it goes on the Internet by mistake, it's in front of millions of people as opposed to the five people in your office,'' she said. Pritts questioned the ethics of collecting information for one purpose and then selling it for another. ``It certainly would make them more vulnerable to people who oppose what they do.'' For Justin Graham, a doctor in Stanford's infectious diseases training program, doctors, like everyone else, face the problem of eroding privacy. ``There's no absolute guarantee of privacy anymore,'' he said. ``Still, (personal information) shouldn't be posted on a billboard on Highway 101, either.'' Contact Kristi Heim at kheim@sjmercury.com or (408) 920-5026. From owner-med-privacy@venice.essential.org Mon Apr 17 15:26:22 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id 1F52A21B02 for ; Mon, 17 Apr 2000 15:26:22 -0400 (EDT) Received: from ix.netcom.com (stl-wa35-32.ix.netcom.com [207.220.42.32]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id PAA21303 for ; Mon, 17 Apr 2000 15:26:13 -0400 (EDT) Message-ID: <38FB666A.FED5E8C2@ix.netcom.com> Date: Mon, 17 Apr 2000 12:31:08 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] POST on proposed regs. New government regulations proposed last fall are supposed to protect the privacy of medical records, but doctor groups and privacy advocates believe they'll actually make it easier for employers, police and others to gain access to the information. The Washington Post reports. http://washingtonpost.com/wp-dyn/articles/A21639-2000Apr15.html Copyright (c) 2000 PersonalReader.com From owner-med-privacy@venice.essential.org Mon May 15 11:55:46 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id 853D02A397 for ; Mon, 15 May 2000 11:55:46 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id LAA23140 for ; Mon, 15 May 2000 11:55:43 -0400 (EDT) Message-ID: <39201ED3.2FF9AD79@ix.netcom.com> Date: Mon, 15 May 2000 08:59:16 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] test From owner-med-privacy@venice.essential.org Mon May 15 12:08:25 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from granger.mail.mindspring.net (granger.mail.mindspring.net [207.69.200.148]) by venice.essential.org (Postfix) with ESMTP id D9E0F2A31B for ; Mon, 15 May 2000 12:08:24 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by granger.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA17820 for ; Mon, 15 May 2000 12:08:19 -0400 (EDT) Message-ID: <392021C8.C1EA889A@ix.netcom.com> Date: Mon, 15 May 2000 09:11:54 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------01383F0F8421AD05B94BBFFA" Subject: [Med-privacy] prescription info. & supermarket cards This is a multi-part message in MIME format. --------------01383F0F8421AD05B94BBFFA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------01383F0F8421AD05B94BBFFA Content-Type: text/html; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353"; name="scrip info." Content-Transfer-Encoding: 7bit Content-Description: Netscape Communicatorª Document Content-Disposition: inline; filename="scrip info." Content-Base: "file:///6%3A22%3A99/Desktop%20Folder/s crip%20info." Behavioral Health Matters - Use of Patient Pharmacy Data  
From
Drug Benefit Trends®

 Behavioral Health Matters
A Case of Inappropriate Use of Patient Pharmacy Data

 Jay M. Pomerantz, MD

 [Drug Benefit Trends 12(1):2, 6, 2000. © 2000 Cliggott Publishing Co., Division of SCP/Cliggott Communications, Inc.]

I have been practicing psychiatry for many years, and consequently little surprises me, even in the current managed care era. Yet, a recent letter from a patient's mother asking for a new set of prescriptions did shock me. Here is the letter. I have left out the family name, particular supermarket, and town of residence; otherwise, the letter is unchanged.
 
 

Dear Dr Pomerantz,
You've prescribed Zoloft for my daughter's depression. I've been having her prescriptions filled at a pharmacy that is located in the supermarket where I do most of my grocery shopping. When I pay the cashier, I also give him/her my supermarket shoppers card. This card entitles you to store discounts. It also keeps track of what you buy. I get coupons at the register -- always for products I've bought (or competitors' products). Last week I was given by the cashier a coupon for "depression sufferers." It offered a telephone number for information about clinical depression. (I've enclosed a copy of this coupon.)
I was appalled to receive this coupon. Does this mean that the store's regular cash register/computer has access to information on the store's pharmacy cash register/computer?
I called the pharmacy and spoke to a "senior pharmacist." At first he said this was probably just a "coincidence" that I received a coupon concerning clinical depression. But further into our conversation he admitted that he really didn't understand the "intricacies" of computers -- that it might be possible that confidential information about who gets what script could somehow be connected to the store cash registers! He promised to check with the powers that be.
Needless to say, I'll get my daughter's scripts elsewhere -- hoping that my new choice of pharmacy will respect my right to confidentiality!
Sincerely,
[Name withheld]
After receiving this letter, I called the toll-free number for "depression sufferers." The telephone was answered by a person who identified himself only by a first name and asked me a series of questions. He wanted to know whether I was calling for myself or someone else. He then asked if the person I was calling about had any of a long list of symptoms of depression. After I gave him my name and address, he promised to send me a free depression information kit to arrive in 2 to 3 weeks. Throughout the telephone call, the interviewer emphasized that my responses were confidential.
 
 

Discussion

There are at least two obvious possibilities for why my patient's mother received the "depression sufferers" coupon. One explanation is that all customers, independent of any pharmacy data, got the offer. In that situation, I object to the insensitivity and trivialization implied in the joint marketing of depression and groceries; blending those items harkens back to the era of direct marketing of snake oil. I also wonder about the sophistication of the toll-free number interviewer who never once mentioned the risk of suicide, despite my answers indicating that "my friend" had every sign of a severe major depression. Nor did I sense from the interviewer that there was urgency to treating depression. The interviewer merely asked whether the friend was taking medication and, if so, which one. There were no questions about psychotherapy, nor any about the availability of emergency mental health resources. In all fairness, it was about what one would expect to get from a grocery store coupon offer!

 The other scenario, which is that the depression sufferer's coupon represents an instance of individual prescription profiles being used to target patients for marketing purposes, troubles me even more. Indeed, I am writing this article to caution drug manufacturers, pharmacies, supermarkets, and the like to avoid even the appearance of such a practice, especially in a sensitive area such as behavioral health.

 My suspicions that such practices are already here or are on the immediate horizon derive from knowing that pharmacy data are used to target physicians. When I attended a 3-day conference last fall sponsored by a drug company about the use of anticonvulsants in bipolar illness, I found out at the meeting that the psychiatrists attending had been selected by prescription data reflecting their treatment of high numbers of patients who have bipolar illness. This kind of information, which targets physicians and does not breech patient confidentiality, may be helpful and potentially educational. The point is that the data are in the computers. We now have to be on guard that the data are used properly. I hope that the coupon given to my patient's mother was a false alarm and that we will never see individual marketing to behavioral health patients that is based on confidential prescription data.

 The long-awaited "depression information kit" arrived 3 weeks after the 800-number interview. The kit was nothing more than an advertisement for an antidepressant medication, a brand that rivals the medication my patient takes!

Dr Pomerantz practices psychiatry in Longmeadow, Mass, and is a lecturer on psychiatry at Harvard Medical School in Boston.

 

  

clear pixel

 

Copyright © 1994-2000 by Medscape Inc. --------------01383F0F8421AD05B94BBFFA-- From owner-med-privacy@venice.essential.org Mon May 15 12:29:49 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by venice.essential.org (Postfix) with ESMTP id 2B25D2A31B for ; Mon, 15 May 2000 12:29:49 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA19097 for ; Mon, 15 May 2000 12:29:45 -0400 (EDT) Message-ID: <392026CD.3CCF9533@ix.netcom.com> Date: Mon, 15 May 2000 09:33:21 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Med-privacy] online privacy & records privacy Physicians Financial News=AE = Protecting Privacy On-Line Gregory Crawford = [Physicians Financial News 18(5):S10-S11, 2000. =A9 2000 PFN Publishing, Inc.] = Physicians face dual issues: How to safeguard your own personal data as well as that of your patients. [....] = = "The medical profession faces some of the greatest challenges on the Internet," says Mark Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), a privacy advocacy group based in Washington, D.C. "Medical information is considered among the most sensitive information there is." = He notes that one recent study found gaping holes in the privacy practices of healthcare companies. "The assumption is made that if they have a privacy policy in place, then that's all they need. But a privacy policy has to be translated into privacy practice," he says. = The report, conducted for the California Healthcare Foundation by the Health Privacy Project at Georgetown University and Internet consultant Mr. Smith, found inconsistencies between health Websites' privacy policies and the actual practices. In addition, the policies in place often fall short of actually safeguarding the information and many sites do not have adequate security measures in place to protect information from computer hackers. The study also found that even when a site has a privacy policy, the protections in place do not follow the information once it leaves the site. And like DoubleClick, many sites collect information about visitors, often without their knowledge or consent. = "The issue with health records is that the security infrastructure is not there yet," Mr. Smith says. "Another concern is whether people will use medical records for marketing. Those are the two biggest areas I'm worried about." = For individual physicians, on-line privacy should be an issue worked out well in advance if a Website is set up or goes live, privacy experts say. = "Doctors are generally pretty good at protecting patients' privacy, so they need to take that culture and the Hippocratic oath and then integrate that into Website design and structure," says Evan Hendricks, editor of Privacy Times (www.privacytimes.com), a biweekly newsletter about privacy and the freedom of information. "A doctor can easily get information out to patients or potential patients without collecting personal information." = Unintentional Disclosure = Zoe Hudson, one of the authors of the California Healthcare Foundation study on health Websites' privacy practices, says doctors need to be aware of the possibility of unintentional disclosure or collection of information, like through banner ads. = One key consideration, she says, is if the site is produced in conjunction with a drug company, physician group or HMO, are they getting information from visitors to the site without their knowledge? = From an institutional standpoint, privacy advocates have been calling for guidelines and laws to protect personal information, which would in many cases make it easier for doctors to create their own Websites and keep privacy concerns to a minimum. = "Our view is there needs to be legal rights to protect personal privacy information, to give consumers control of their information that's held by other entities," EPIC's Mr. Rotenberg says. "But technology also plays an important role." = Some regulators are on the case. In early February, Senator Robert Torricelli (D-NJ) proposed a plan that would make it unlawful for companies to collect personal information on-line without first getting permission from the consumer. Shortly after that proposal, House and Senate lawmakers formed task forces to grapple with privacy issues over the Internet, noting that the laws have not kept pace with technology. = In terms of patient healthcare records, legal protection and regulation of such documents sent electronically is an issue that Congress appears to be gearing up for. In March, the House Ways and Means health subcommittee held a hearing on the Department of Health and Human Services' proposal, issued last fall, to protect electronically transmitted medical records. That 600-page proposal included provisions for consumers to control their medical records, accountability for use of medical records, limits on the use of those records and a mechanism to balance privacy protections with the need to use records to protect public health, conduct medical care or improve the quality of care. = Shortly thereafter, the Health Insurance Association of America chimed in, saying the regulations as proposed would limit the ability of insurers and health plans to improve the quality of healthcare. The trade association also said the regulations carried too much red tape that would only lead to higher health insurance premiums. = Mr. Hendricks of Privacy Times says any on-line privacy law should give consumers a baseline of protection and prevent information that is collected for one purpose from being used for another purpose without the consumer's consent. = In addition, he says the Federal Government should set up a national privacy agency -- similar to the National Labor Relations Board -- to handle questions, disputes and other privacy problems. "Every Western country has a national privacy office except the United States," he says. = [....] = Gregory Crawford is a former business correspondent for Reuters News Agency where he covered business, finance and economics. Copyright =A9 1994-2000 by Medscape Inc. From owner-med-privacy@venice.essential.org Mon May 15 12:34:45 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by venice.essential.org (Postfix) with ESMTP id E9C562A31B for ; Mon, 15 May 2000 12:34:44 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA01939 for ; Mon, 15 May 2000 12:34:31 -0400 (EDT) Message-ID: <392027EB.FE2D1B1B@ix.netcom.com> Date: Mon, 15 May 2000 09:38:08 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Med-privacy] on proposed HIPAA regs Legal Matters = Health Information Confidentiality: The Federal Government Steps In = Robyn A. Meinhardt, RN, JD = [Drug Benefit Trends 12(2):27-28,41-42, 2000. =A9 2000 Cliggott Publishing Co., Division of SCP/Cliggott Communications, Inc.] = = = Introduction On November 3, 1999, the Department of Health and Human Services (HHS) published its much-anticipated proposed regulations dealing with the confidentiality of individuals' health information. While the proposed regulations, which were developed by HHS under the "administrative simplification" provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are narrower in scope than the various confidentiality bills that were stalled in Congress for the past 2 years, they will drastically change the way in which the health care industry handles the health information of the persons it serves. Compliance with the regulations will not become mandatory until 26 months after they are published in final form; meanwhile, written comments regarding the proposed regulations may be submitted to HHS through February 17, 2000. = This column discusses the types of activities that will bring an individual or a company under the requirements of HIPAA and its "administrative simplification" regulations. It also highlights several important aspects of the proposed confidentiality regulations for PBMs and the pharmaceutical industry. = = = Background: Administrative Simplification When Congress passed HIPAA, it intended to standardize, and thereby simplify, electronic data interchange (EDI) within the health care field. The administrative simplification provisions mandate (1) compliance with uniform standards for information transactions and data elements; (2) the use of a unique identifier for each patient, employer, health plan, and health care provider; (3) the use of standardized code sets for the data elements used in EDI; and (4) compliance with security, electronic signature, and privacy standards. HHS's proposed confidentiality regulations respond to the requirement for privacy standards. = = = Application to a Specific Industry or Activity Determining whether HIPAA applies to a particular individual or company is an important first step in crafting the approach of a business to patient confidentiality issues. = = = Direct Application: Covered Entities The administrative simplification provisions apply directly to only three "covered entities": = = = Health care providers. = = = Health care clearinghouses. = = = Health plans. = = = HIPAA, however, defines those categories broadly. "Health care provider," for example, includes "any person who furnishes health care services or supplies." "Health care" includes any "preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body." It also includes the "sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription," and the "procurement or banking of blood, sperm, organs, or any other tissue for administration to patients." = Consequently, whenever a PBM, medical device manufacturer, or pharmaceutical manufacturer furnishes drugs or medical devices directly to a patient, that PBM or manufacturer is a "health care provider" and is directly subject to all of HIPAA's complex rules. PBMs that provide drug product counseling to patients will also be considered health care providers. Involvement with research activities may also bring an unsuspecting PBM or manufacturer under the "health care provider" label when those activities involve providing "health care" to the person. If someone involved with research activities is providing "health care," he or she must comply with HIPAA's applicable confidentiality requirements. = Employers, even if not serving the health care industry, may find themselves unwittingly subject to the regulations when they fund an employee benefit plan that pays for their workers' health care. Under the regulations, this type of benefit constitutes a "health plan," so that any person's health information received by the employer when administering that plan must be protected in all the ways specified by the regulations. PBMs, pharmaceutical manufacturers, and others whose activities do not bring them under the "health care provider" label could nonetheless find themselves subject to HIPAA by virtue of their employee benefits structure. = = = Indirect Application: Business Partners of Covered Entities Indirect application of HIPAA's confidentiality requirements occurs when an individual or a company sees or uses health information while providing services to one of the three covered entities. This can occur when these entities do business with each other or when one outsources services to a person or company that is not covered by the regulations. Under the proposed privacy regulations, there has to be a "business partner agreement" between the covered entity and each "person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity." HHS requires an actual "business partner agreement" whenever a covered entity discloses health information to business partners. There are 11 elements that must be included in a business partner agreement; among them are a provision giving the patients the right to sue under state law for breach of the agreement, and the promise to comply with all of the covered entity's policies that are relevant to the use or disclosure of health information obtained under the agreement. = Indirect application works like this: a PBM whose activities bring it under the "health care provider" label must have its own confidentiality policies and protections in place. However, when the PBM also performs services for another covered entity, perhaps by providing outsourced pharmacy services within a hospital, the PBM is considered to be the "business partner" of that hospital. As such, the PBM must agree to apply the hospital's confidentiality policies to all health information the PBM receives while performing the pharmacy services for the hospital. = Because there is some flexibility in HIPAA's confidentiality requirements, the policies of covered entities may vary significantly in some respects, and it cannot be assumed that each covered entity will have implemented the confidentiality requirements in the same way. As a result, PBMs that are "health care providers" under the regulations and that also perform services for other covered entities will have to abide by a number of different confidentiality schemes with regard to the health information it receives as the business partner of those other entities. = Business partner relationships can also occur between a covered entity and a person or company that is not a covered entity. For example, a PBM that is a health care provider might outsource data analysis activities to a vendor of such services. Alone, the data analysis vendor would not be subject to the confidentiality regulations, even if it received health information directly from patients. However, if the vendor receives individuals' health information from the PBM for analysis, the PBM must require the vendor to comply with the PBM's confidentiality policies and protections as to that information. = = = Nonapplication Industries may currently think themselves subject to HIPAA when they are not. For example, manufacturing and selling pharmaceuticals does not make the manufacturer a covered entity. Nonetheless, a pharmaceutical manufacturer should be aware of HIPAA requirements for at least two reasons. First, related lines of business such as pharmacy benefits management and clinical research could be directly subject to HIPAA under the "health care provider" definition, and they should be evaluated in that light. Second, the manufacturer who is sensitive to the HIPAA-related concerns of its health plan and health care provider clients will have some level of advantage. = = = Provisions of the Proposed Regulations Specific provisions of the confidentiality regulations may come as a surprise. They will likely shock those business partners who are not themselves covered entities, and they may be of interest to those persons and companies that are in the health care industry but have so far escaped both the direct and indirect applications of HIPAA (but who may later become subject to similar provisions, should Congress decide to act further to protect health information). = = = What Information Is Protected? "Protected health information" (PHI) under the proposed regulations must meet four criteria: = = = The information must be "identifiable" to an individual. = = = The information must have been created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse. = = = The information must relate to the past, present, or future physical or mental health or condition of the person, the provision of care to the person, or payment for health care to the person. = = = At some point, the information must have been put into electronic format by a covered entity. Once it has been put into electronic format (which includes faxing) by any covered entity, all covered entities (and their business partners) must protect the information in accordance with the regulations regardless of where or in what form the information is subsequently found; even its oral expression is subject to the regulatory protections. = = = These provisions raise interesting dilemmas. For example, a covered entity will not usually know when another covered entity has put a particular piece of health information, such as a diagnosis associated with the person's name, into electronic format. Also, once a piece of health information comes under the protections of the regulations by meeting the four criteria described above, the protection attaches regardless of where the health information is found, even when it is mixed with nonprotected health information in a medical record. = Consequently, covered entities will likely find the fourth criterion, electronic formatting, irrelevant for two reasons. First, it would be virtually impossible to administer two sets of confidentiality polices, one for federally protected health information and another for health information protected solely by state or other limited federal laws. Second, it would be equally difficult to track protected health information through all its permutations and uses by all covered entities. = Researchers and others who remove individual identifying information in order to use and disclose health information more freely should be aware of the regulations' proposed definition of "de-identified" health information. Under the proposed regulations, health information will not be considered "de-identified" unless all of a list of 18 types of identifiers are removed, including name, address including ZIP code, names of relatives, name of employers, birth date, telephone numbers, fax numbers, electronic mail addresses, Social Security number, medical record number, health plan beneficiary number, account number, certificate/license number, any vehicle or other device serial number, Web Universal Resource Locator (URL), Internet Protocol (IP) address number, finger or voice prints, photographic images, and any other unique identifying number, characteristic, or code that the covered entity has reason to believe may be available to an anticipated recipient of the information. This requirement drastically reduces the likelihood that de-identified information will suffice for a particular use or disclosure. = = = What Are the Rules About Disclosure? Disclosure of PHI is prohibited -- unless explicitly allowed. Disclosure is allowed only: = = = To carry out treatment or payment. = = = To perform the management functions necessary to support treatment or payment. = = = When provided to the person to whom the PHI pertains, or his or her designee. = = = When provided to the Secretary of HHS for oversight activities; for public health, law enforcement, health oversight, judicial and administrative proceedings. = = = To report health care fraud. = = = For research (within strict requirements), certain emergencies, and military purposes. = = = When provided by a health care provider to a health plan for audit and related purposes. = = = When authorized by the patient. = = = Express authorization is required for all disclosures or uses not otherwise allowed by the regulations, such as marketing of health and nonhealth items and services, or disclosure "by sale, rental or barter." For example, had the proposed regulations been in effect when pharmacy chain CVS disclosed health information to its outside vendor, Elensys, for marketing activities, each patient's written authorization would have been required. = If an authorization is "defective" in that it does not contain all the elements required by the regulations, it will not be valid. Furthermore, if a covered entity requests the authorization, and disclosure or use will result in financial or "in-kind" gain to the provider or health plan, the authorization must state that such gain will result. Failure to include this statement will void the authorization and could incur stiff penalties: fines as great as $250,000 and imprisonment as long as 10 years. The proposed regulations do not define what constitutes financial or in-kind gain; it is hoped that the final regulations will shed more light on this critical point. = Only the "minimum necessary" information may be disclosed, based on the purpose of the disclosure. This requirement applies to each and every disclosure, even disclosures for purposes of treatment and referral and even those necessary for conducting quality improvement reviews. Consequently, each and every intended disclosure must first be scrutinized to narrow the disclosed information to that which is the "minimum necessary," and PBMs that are covered entities or the business partners of a covered entity must designate personnel to perform and police this function. HHS acknowledges that the "minimum necessary" requirement will likely be the most costly and burdensome of all its proposed confidentiality regulations; more accurately, the requirement as set forth in the proposed regulations appears to be virtually unworkable. = = = Notice to Patients Covered entities will be required to give patients notice of their right to request restrictions on the use and disclosure of their PHI. If a patient requests restrictions that would otherwise be allowed by the regulations without the patient's authorization, the covered entity may choose whether to agree to those restrictions. If it agrees to those restrictions, they must be in writing, and violation of that agreement will constitute violation of the regulations. = Each covered entity must also give written notice of its information practices to each patient served. The notice must describe the types of disclosures the covered entity makes, "in sufficient detail to put the individual on notice of the uses and disclosures expected to be made" of his or her PHI. The notice must state that the patient has the right to inspect and copy his or her PHI, the right to request amendment or correction of the PHI, and the right to receive an accounting of all disclosures of the PHI made by the covered entity (except those disclosures made for treatment, payment, or health care operational purposes or made to health oversight or law enforcement agencies). This "notice of information practices" must be given to patients (1) upon request; (2) during the initial period of implementation of the regulations; and (3) periodically thereafter as the notices are amended. Health plans must mail the notices to patients, initially and at least every 3 years thereafter, whereas health care providers may initially hand them to patients at the point of service and thereafter need only post, not distribute, revisions to their notices. = = = Other Rights for Patients Covered entities must keep an accounting of all disclosures of a patient's PHI, except for disclosures for treatment, payment, health care operations, and to health oversight or law enforcement agencies. They must also make the accounting available to the patient and require their business partners to provide such an accounting. The accounting must be retained as long as the PHI is retained. = Patients have the right to request amendment or correction of their health information. The covered entity may deny such a request only if it determines either that (1) the information was not created by it; (2) access to the information may result in harm to the individual or others, (3) certain circumstances related to clinical trials or legal proceedings apply; or (4) the information is accurate and complete. If the request is denied, the covered entity must give the patient a written statement of the basis for the denial and instructions as to how the patient can file a statement of disagreement with the covered entity and with HHS. The patient's statement of disagreement must thereafter be disclosed whenever the contested information is disclosed. = If the patient's correction or amendment is accepted, the covered entity must make reasonable efforts to notify those whom the patient identifies as needing to be notified, and anyone else the covered entity knows has received the erroneous information and whose reliance on that information would be detrimental to the patient. The covered entity's policies must spell out the process for making the amendment. = The PHI of deceased persons is protected by the regulations for 2 years after death. = = = The Privacy Infrastructure Each covered entity must designate a privacy official to be responsible for the development and implementation of privacy-related policies and procedures. It must also designate a contact person or office for receiving complaints of violations and must educate its workforce regarding its confidentiality policies and procedures. The covered entity must adopt the necessary policies and procedures and put into place the technologic and administrative infrastructure necessary to implement those policies and procedures. The procedures must address methods for verifying the identity and authority of persons requesting PHI and for mitigating any harm caused to individuals by an unlawful use or disclosure. Finally, the procedures must include methods for monitoring the compliance of the covered entity's workforce and of its business partners and for documenting the results of that monitoring. = = = Civil and Criminal Penalties In addition to the potential for private lawsuits under business partner agreements, HHS has established civil monetary penalties for violations of the confidentiality regulations. These fines may be as much as $100 per person per violation, but not more than $25,000 per year for violation of a single regulatory standard. = HIPAA also establishes three levels of criminal penalties for knowingly obtaining or using individually identifiable health information in violation of any of the HIPAA regulations. The lowest level involves fines as high as $50,000 and imprisonment for up to 1 year. At the second level, for use and disclosure of PHI under false pretenses, the fines can reach $100,000 and imprisonment can last 5 years. The most egregious penalties are reserved for use or disclosure of PHI with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm: fines as high as $250,000 and imprisonment for up to 10 years. = The proposed confidentiality regulations state that HHS will seek "informal resolution" of noncompliance whenever possible; but if these efforts are unsuccessful, HHS may refer the matter for civil money penalties or criminal prosecution. = = = Preemption of State Laws: A Potential Morass HIPAA limits the authority of HHS to mandate compliance with the confidentiality regulations. Under HIPAA, the confidentiality regulations may set only the minimum acceptable requirements; state laws that are contrary to, but more stringent than, the federal regulations will remain in effect. In other words, the federal confidentiality regulations are a "floor" above which states may construct laws that are more protective of confidentiality. In addition, state laws that relate to public health and oversight of health plans will remain in effect. = The regulations do not identify an authority responsible for deciding whether a particular provision of state law is preempted. Instead, HHS opines in its comments that state-based, health care-related trade associations will make these determinations for their members. Even if this prediction comes to pass, the fact remains that no one has been given the authority or responsibility for making preemption determinations; this situation creates great potential for confusion and ambiguity as to the enforceability of conflicting state laws. The regulations do describe a procedure by which states may submit requests to the Secretary of HHS to exempt certain limited types of state laws from preemption, as well as an advisory process by which a state may ask the Secretary of HHS to give her "advisory opinion" as to whether a particular state law provision is more stringent than the federal requirements. However, neither of these processes will address in any comprehensive manner the ambiguities created by the preemption scheme. It remains to be seen whether the final regulations will improve upon this "bits and pieces" approach to preemption. = = = Conclusion: 2 Years Is a Very Short Time The proposed confidentiality regulations are open for comment until February 17, 2000, and may, as a result of comments submitted, be substantially revised before being released in final form. HHS is currently indicating that all of its final administrative simplification regulations, including but not limited to the confidentiality regulations, will be released this spring. Although compliance will not be mandatory for 26 months after publication of a final regulation, the changes in administrative, technologic, and operational infrastructure and procedures will be drastic for many covered entities and certainly for their business partners. It is not too soon to get started with the process of improving health information confidentiality protections. = = Copyright =A9 1994-2000 by Medscape Inc. From owner-med-privacy@venice.essential.org Mon May 15 12:39:28 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by venice.essential.org (Postfix) with ESMTP id 2C7BA2A31B for ; Mon, 15 May 2000 12:39:28 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA06031 for ; Mon, 15 May 2000 12:39:26 -0400 (EDT) Message-ID: <39202912.A0886DBE@ix.netcom.com> Date: Mon, 15 May 2000 09:43:03 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] PersonalMD & online records ===================================================================== THE INDUSTRY STANDARD'S I N T E L L I G E N C E R This Week in the Internet Economy ===================================================================== | http://www.thestandard.com | Friday, April 28, 2000 VIRTUAL CHARTS: PersonalMD.com agreed to supply online medical records to Blue Cross Blue Shield of Rhode Island's 550,000 patients. Blue Cross Blue Shield insures about half of the state's population, and its deal with Pleasanton, Calif.-based PersonalMD could spur the widespread adoption of online medical records. Copyright 2000 The Industry Standard From owner-med-privacy@venice.essential.org Mon May 15 12:51:16 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id E73502A31B for ; Mon, 15 May 2000 12:51:15 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA31539 for ; Mon, 15 May 2000 12:51:13 -0400 (EDT) Message-ID: <39202BD6.C19DC55A@ix.netcom.com> Date: Mon, 15 May 2000 09:54:52 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] HHS & privacy regs =================================== AHA NEWS NOW www.ahanews.com =================================== Wednesday, April 26, 2000 Senate committee debates merits of HHS privacy regs The Department of Health and Human Services did not overstep its statutory authority when it issued the 630-page medical record privacy regulations last fall, the General Accounting Office told the Senate Health, Education, Labor and Pensions Committee today. Provider groups disagreed. John Houston, data security officer and assistant council for the UPMC Health System and a witness for AHA, said HHS tried to address the privacy of all individually identifiable health information, rather than data sent electronically among providers and payers in transactions specifically described in the Health Insurance Portability and Accountability Act. "This is impossible, and beyond HHS's scope of authority," Houston said. The GAO also noted that despite disagreements over the best way to achieve privacy of medical records, allthe groups that submitted comments to HHS supported the concept. Copyright 2000 by the American Hospital Association. All rights reserved. AHA News is a registered trademark of the American Hospital Association. The opinions expressed in AHA News Now are not necessarily those of the American Hospital Association. Any article from AHA News Now can be reproduced provided AHA News is identified as the source of the information. From owner-med-privacy@venice.essential.org Mon May 15 12:54:27 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id 51B2F2A31B for ; Mon, 15 May 2000 12:54:27 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA06247 for ; Mon, 15 May 2000 12:54:25 -0400 (EDT) Message-ID: <39202C96.23D0C46F@ix.netcom.com> Date: Mon, 15 May 2000 09:58:04 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] Healtheon-MS-Humana > > HEALTHEON, MICROSOFT AND HUMANA ANNOUNCE COLLABORATION > > Humana Inc. has announced an alliance in which it will use > Microsoft Windows for Smart Card technology to give members access to > Healtheon/WebMD's Internet portal and permit secure exchanges of > healthcare information, the companies announced at the National Managed Health Care Congress on Monday. > > http://managedcare.medscape.com/20265.rhtml From owner-med-privacy@venice.essential.org Mon May 15 12:56:53 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id AFCB32A31B for ; Mon, 15 May 2000 12:56:53 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id MAA24970 for ; Mon, 15 May 2000 12:56:51 -0400 (EDT) Message-ID: <39202D28.505DD3BF@ix.netcom.com> Date: Mon, 15 May 2000 10:00:31 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] AHA's HIPAA page =================================== AHA NEWS NOW www.ahanews.com =================================== Thursday, April 27, 2000 AHA launches new HIPAA Web site The AHA today launched a new Web page (http://www.aha.org/hipaa/hipaa_home.asp) designed to inform member hospitals about the Health Insurance Portability and Accountability Act of 1996. HIPAA mandated the creation of regulations that will govern privacy, security and administrative simplification standards for health care information. HIPAA will require hospitals to implement major changes in how they handle all facets of information management, including reimbursement, coding, security, and patient records. Several proposed and final regulations are expected this year. Copyright 2000 by the American Hospital Association. All rights reserved. AHA News is a registered trademark of the American Hospital Association. The opinions expressed in AHA News Now are not necessarily those of the American Hospital Association. Any article from AHA News Now can be reproduced provided AHA News is identified as the source of the information. From owner-med-privacy@venice.essential.org Mon May 15 13:00:45 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id F0D452A31B for ; Mon, 15 May 2000 13:00:44 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA28014 for ; Mon, 15 May 2000 13:00:32 -0400 (EDT) Message-ID: <39202E02.FA12AC19@ix.netcom.com> Date: Mon, 15 May 2000 10:04:09 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: [Med-privacy] AHA on proposed HIPAA regs Standards for Privacy of Individually Identifiable Health Information Overview and Identification of Key Issues Scope The regulation applies to covered entities when they use or disclose individually identifiable information in electronic form. However, the rule defines all of these terms broadly, effectively establishing policy for all types of information use or disclosure. The rule preempts state laws that are in conflict with the regulatory requirements and that provide less stringent privacy protections, with specified exceptions for certain public health and health oversight functions. Covered Entities -- The statute required the regulation to apply to health plans, health providers and health care clearinghouses. "Health providers" are defined broadly to include individual providers, facilities and any "other person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business." The regulation refers to those affected directly by the regulation as covered entities. Recognizing that many covered entities contract with others to perform many functions on their behalf, the regulation creates the concept of business partner. Business partners are subject to the regulation through contracts with the covered entities. Electronic Form -- The statute applies to information that moves in electronic form. Originally considered a limitation, the Secretary defines electronic information so broadly that most information will be covered by these new rules. The regulation applies to any information, whether it is currently in paper form or not, that has ever been, or will ever be, in electronic form. Individually Identifiable Information - Although the regulation only applies to individually identifiable information, the definition of individually identifiable information is so broad that it will be very difficult to de-identify information and still find it useful for any purpose. For example, the list of 19 identifiers that must be stripped in order for the information to be considered de-identified includes zip code, any medical record number, and date of birth. All individually identifiable health information used or disclosed by an entity covered by this rule is considered protected health information (PHI). Three Major Areas of the Regulation The three major areas of the regulation are: The rules for the use and disclosure of PHI The individual's rights with regard to his/her information The administrative requirements and safeguards that must be established to protect privacy. Rules for the Use and Disclosure of Protected Health Information The regulation defines the purposes for which information may be used without patient authorization, the disclosures and the parameters under which the disclosure can be made without authorization, and outlines specific purposes for which individual authorization is required. Use and disclosure for treatment, payment and health care operations -- The regulation allows PHI to be used and disclosed without authorization for the purposes of treatment, payment and health care operations. The definitions of these functions describe most of what a hospital or health system does. The term health care operations is intended to allow information to flow freely for quality assurance, outcomes monitoring and other administrative purposes. Uses and disclosures for other purposes without an individual's authorization -- The regulation lists disclosures that may be made without authorization, and defines the circumstances under which these disclosures may occur. For example, for disclosure or use for research purposes, an Internal Review Board (IRB) or Privacy Review Board must make several determinations about the need for the PHI and the ability of the researcher to protect the information. Other disclosures that do not require individual authorization are for next-of-kin, urgent circumstances, public health reporting, patient directory information, law enforcement and health oversight. Uses and disclosures for which individual authorization is required. -- The circumstances under which individual authorization is required for the use or disclosure of PHI include: marketing of health and non-health items and services, disclosure by sale, rental, or barter, disclosure to an employer for use in employment determinations, and use or disclosure for fundraising. Right of an individual to restrict uses and disclosures -- Individuals may request that uses or disclosures for treatment, payment and health care operations be restricted. If the provider agrees to the patient's requested restrictions, they must have processes in place to ensure that disclosures are not made that are inconsistent with such restrictions. This does not apply to uses or disclosures that are required by law or for emergency circumstances. Individual Rights This section outlines the rights individuals may exercise in connection with their PHI. It includes the right to a notice of the covered entity's information practices, the right to inspect and copy their PHI, the right to amend their PHI, and the right to an accounting of disclosures. Notice to individuals of information practices -- The regulation describes in detail what the information practices notice must include, and requires providers to give it to patients at the first service delivery opportunity. The notice must be in "plain language" and sufficiently detailed to "put the individual on notice of the uses and disclosures expected to be made of his or her protected health information." The notice must distinguish between those uses and disclosures the entity makes that are required by law and those that are permitted, but not required by law. Access of individuals to protected health information -- Individuals have the right to inspect and copy their PHI in a "designated record set." The intent of limiting patient access to a "designated record set" is to limit individual access to any information beyond that which is in records that providers use to make decisions about the individual. For example, we believe that this section would not give patients access to quality assurance or peer review records. Covered entities can refuse to let patients see their records for several reasons, one of which is if they believe the information could "endanger the life or physical safety of the individual or another person." Ability to amend or correct -- A covered entity must allow an individual to request an amendment or correction of information in their designated record set. If the covered entity disagrees with the suggested amendment or correction they must permit the individual to include a statement of disagreement in the record. The covered entity must have procedures in place to effectuate the amendments, corrections or statements of disagreement in all designated record sets maintained by the covered entity and its business partners. Accounting for disclosures -- The covered entity must be able to give individuals a detailed accounting of all disclosures of their PHI, except for treatment, payment or health care operations and for a few oversight functions. The record of disclosures must include the date of each disclosure, name and address of the organization or person who received the PHI, a brief description of the information disclosed and the purpose for the disclosure. In addition to covered entities, this information must be available to individuals through business partners and for as long as either entity maintains the PHI. Administrative Requirements This section outlines the administrative requirements that a covered entity must put in place to protect the privacy of PHI, including: Designation of a privacy official who will be responsible for the development and implementation of the privacy policies and procedures, Training for all members of the workforce who obtain PHI, including an attestation every three years that the employee will honor the covered entity's privacy policies, Administrative, technical and physical safeguards to protect the privacy of PHI, including procedures for verifying the identity and authority of requestors of information, and Detailed specifications of what must be documented to ensure compliance with the regulation. Note: One provision in this section absolves the covered entity of any liability if an employee or other person associated with a business partner discloses PHI to a law enforcement official, oversight agency or an attorney if they believe the information is evidence of a violation of law. It is entitled "disclosure by whistleblowers." Enforcement and Penalties Penalties are outlined under HIPAA. Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities which fail to comply with the requirements of this regulation. HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. These penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain. Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated. In addition, although the regulation does not include a private right of action, it does include the ability for an individual to sue under contract law as discussed below. KEY ISSUES This regulation will have a significant impact on most providers. The preemption definition will require individual providers to perform complex evaluations simply to determine which law applies. The ambiguity of some standards, coupled with liability for, and penalties for noncompliance, will encourage providers to create very detailed processes and procedures for ensuring compliance. In addition, the regulation itself is very specific in some areas and will require the development of a multitude of notices, tracking systems, internal audits, and processes for individuals to exercise their rights. With input from state associations, personal membership groups, governing councils, and individual members, AHA staff have identified the following as major issues. Preemption The proposed rule overrides contrary, less stringent state laws, but leaves in place state laws relating to privacy that are more stringent than the federal requirements. In addition, there are a variety of state laws that are carved out from pre-emption. The regulation does not anticipate that providers will receive any guidance other than what is in the regulation to determine which, if any, of their state laws are pre-empted. It only allows states to request Advisory Opinions from HHS and only in limited circumstances. Therefore, providers are going to have to perform a five-part test to determine which rules apply. The provider will have to determine which state laws are: 1.Carved out from the preemption, 2.Privacy laws, 3."Related to" the individual provisions in the federal regulations, 4.Contrary to the federal regulation, and 5.More stringent than the federal regulation Discussion: The statute determined the pre-emption policy, which meant that the Secretary of HHS does not have discretion to alter it. However, AHA believes there may be ways to make it less onerous by designing a process to give covered entities more guidance in determining which laws would apply in their state. Cause of Action It appears that even though HHS lacked the authority to include a private right of action in the regulation, there is in effect a cause of action in the proposed rule. Covered entities that enter into contracts with their business partners must name the individuals whose identifiable information is disclosed as third-party beneficiaries to the contract. This would enable individuals to sue both the business partner and the covered entity for all of the use and disclosure obligations included in the contract. Discussion: This requirement, coupled with the number, complexity and ambiguity of the requirements in the proposed rule, could create tremendous new liability for providers. Minimum Necessary Standard This standard states that a "covered entity must make all reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure." Although this standard states a very important principle, it will be extremely difficult to implement. It not only applies to disclosure external to the covered entity, but also to every single time information moves from person to person for treatment. For example, every time a physician gives information to a nurse or a nurse to a laboratory the physician or nurse would have to consider how much information to give to the next person. The preamble discussion also notes that HHS expects the covered entity to ensure that only the minimum number of persons who need the information have access to it. Discussion: Although the preamble discussion includes language that recognizes the considerable practical and technological limitations involved in monitoring each individual use of information, the regulation specifically notes the need to apply this standard on an individual case basis. Consequently, we believe that this standard will be impossible to implement. The minimum necessary standard is also completely at odds with good medical practice. Caregivers need a full and complete picture of the patient's health to make a diagnosis and develop a treatment plan. It is impossible to determine in advance what information is necessary. What may appear unnecessary from the lab technician's or nurse's perspective may be essential for the physician's diagnosis of the patient's condition. This subjective standard could encourage practitioners in hospitals to withhold information hundreds and thousands of times daily that could be essential for later care. Simply put, it is a very powerful "gag clause." This standard, coupled with the right to sue, creates a tremendous liability for providers and a dangerous precedent for patient care delivery. Uses of Information That Require Individual Authorization Except for treatment, payment, and health care operations and the defined list of disclosures, hospitals and health systems are not allowed to use or disclosure information for any other functions. The regulation specifically requires authorizations in some situations. Discussion: It will be critical for providers to assess how they currently use information for what they consider to be legitimate uses that may not have been anticipated by this regulation. For example, some hospitals and state associations believe they may no longer be able to perform some of the market analysis that is currently done to identify utilization patterns. Others have noted that they sometimes use PHI to remind patients about the need for check-ups or prescription refills and wonder if such uses would be considered marketing. Some of these areas need to be clarified and AHA will request such clarification in our comments. However, we would appreciate your help in identifying as many of these uses as possible. Whistleblower Provisions Two sections establish new whistleblower standards. The first states that a provider shall not take any retaliatory or discriminatory action against any individual for the filing of a complaint under this section or assisting in an investigation or opposing any act or practice made unlawful by this subpart. This is coupled with the explicit ability for employees to complain directly to the Secretary if they believe a covered entity is not complying with this regulation. The second standard allows a "member of the workforce", if they believe any law has been violated, to give an oversight or law enforcement agency or a legal counsel individually identifiable health information with absolutely no process parameters. Discussion: The first standard will make it very difficult for covered entities to enforce their internal privacy policies. As noted previously, the proposed privacy standards are numerous and complex and include very subjective standards. If a covered entity believes an individual has violated a policy, but the employee disagrees and states that the covered entity has violated the policy, the covered entity can not appear to coerce or discriminate against the employee to encourage him/her to encourage him/her to come into compliance. The second standard is equally disturbing. While painstakingly creating numerous barriers to the use of identifiable information for the purposes for which it was created -- treatment -- the regulations allow PHI to be disclosed externally with absolutely no strings attached simply if an individual believes a law has been violated. This process directly contradicts not only the basic premise of this regulation, but also the standards that outline procedures for law enforcement officials to obtain the individually identifiable information. Directory Information The regulation requires hospitals to get permission from the individual patient before directory information about them is released to anyone. Discussion: While appearing to be a benign standard, this requirement created tremendous difficulty in Maine, where they had a similar law. It is a good example of the potential for unintended consequences in this regulation. Hospitals in Maine had great difficulty getting permission from the patient before getting calls from next-of-kin, clergy, florists, friends, etc. asking if their loved one was at the hospital, and where they could be found. The admissions office had to remember to ask and document the answer, and then that information had to be transmitted to the floor or to whoever was answering the phones. In addition, in rural areas where patients knew the hospitals well, patients would by-pass the normal check-in process and go directly to their rooms without being given the chance to give their permission. This created an unnecessary burden and hassle for well-meaning persons on both sides of the request. The law was repealed quickly and replaced with a law that allows persons to request that their directory information be withheld. Administrative Requirements, Implementation and Financial Impact The requirements for documentation of policies and procedures, the new notices and in particular the tracking requirements are numerous and complex. The new requirements pertaining to inspecting, copying and amending PHI will require staff to become more fully aware of the numerous places where medical information resides and to determine whether such information would fall under the category of "designated record set." The minimum necessary standard will require audit trails to be installed in information systems. If the minimum necessary standard is not altered it will also require covered entities to monitor information sharing practices between individual caregivers to determine if they are adhering to the "minimum necessary" standard. Discussion: It is critical to consider the many ways in which this regulation creates standards that will be very difficult to meet and increases resources necessary for compliance. The AHA believes that some of these standards are not appropriate for regulation and/or could be made less onerous by allowing providers more flexibility in determining how to meet them. We appreciate any feedback on particular problem areas and suggestions for how to make the regulations more workable. copyright 1999, AHA From owner-med-privacy@venice.essential.org Mon May 15 13:10:21 2000 Return-Path: Delivered-To: med-privacy@venice.essential.org Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net [207.69.200.243]) by venice.essential.org (Postfix) with ESMTP id B40392A31B for ; Mon, 15 May 2000 13:10:20 -0400 (EDT) Received: from ix.netcom.com (user-2ini82m.dialup.mindspring.com [165.121.32.86]) by maynard.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id NAA23133 for ; Mon, 15 May 2000 13:10:07 -0400 (EDT) Message-ID: <39203043.CEF657DE@ix.netcom.com> Date: Mon, 15 May 2000 10:13:47 -0700 From: Peter Marshall X-Mailer: Mozilla 4.08 (Macintosh; I; PPC) MIME-Version: 1.0 To: med-privacy@venice.essential.org Content-Type: multipart/mixed; boundary="------------8AF309E76EFBFE89916D4342" Subject: [Med-privacy] online medical records This is a multi-part message in MIME format. --------------8AF309E76EFBFE89916D4342 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit http://www.health-records.com/online_health_records.htm --------------8AF309E76EFBFE89916D4342 Content-Type: text/html; charset=iso-8859-1; name="online_health_records.htm" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="online_health_records.htm" Online Medical Records: Are They the Future of Healthcare?= =
Provided By: 3D"Click   =   
F= REE website hosting sponsored by BizLand.com


3D"Home" 3D"Table 3D"Fee= 3D"Search"

3D"Online
Previous ] Next ]

 

Online Medical Records: 
Are They the Future of Healthcare?

Some mor= ning in the near future, Alice will log onto the Internet and access her own = medical records from her physician Dr. Carroll.  She will note that her records show she has high blood pre= ssure and will click on a link to a patient education article about man= aging high blood pressure through medication, diet, and exercise. Dr. C= arroll has left an online prescription for Alice=92s medication, and she= will click on another link to order her prescription to be filled. Lat= er that day, Alice will begin to receive e-mail from drug companies offer= ing her discount coupons for hypertension medicines they sell. Alice worr= ies about who else has access to her medical records. And, after read= ing all the drug company e-mail, she wonders whether Dr. Carroll has chos= en the best and least expensive medication for her. Will  Alice have wandered into a Wonderland of more control = over her own health, or will she have fallen down a rabbit hole where = she has no control over the privacy of her own health information = and is more confused about her choices? In this article, we will briefly= look at the issue of online medical records and how these new Internet= services affect the availability and privacy of health care infor= mation.

Who keeps the health records -- Doctors or Patients? 

 In= ternet sites for storing health records are of two types: (1) patients ente= r and maintain their own health information or (2)doctors store = health records that the patient may read in any Web browser.  While some believe doctor-maintained medical records will = be more accurate than those entered by patients, there are several reason= s why sites offering patient-controlled data may be the most widely ava= ilable type online.

 First, physicians have been slow to use electronic systems to capture me= dical records.  Also, man= y physicians are reluctant to provide patient access to these records beca= use of the extra work involved in uploading the data to the Internet and= answering e-mail from patients who don=92t understand the records= or who want more information.  Donald Kackett, chief executive of drk= oop.com, says that it is better for the patient to be responsible for ente= ring and maintaining data because =93If you wait for your doctor to do= it, it will never happen.=94 (Wall St. Journal, 08/16/99, B1).  Advocates for patient-maintained records say that patients= who are concerned about their health are likely to update their files= regularly. Moreover, when patients maintain their own records, th= ey can also include alternative medicines or non-prescription drugs they= are taking, as well as treatments by all their physicians.

=

 Personal Health Records Software Alternatives

Where do= es health records software for personal computers, such as Health-Minder,  fit into this future of online medical records? Obviously, a prin= ted copy of a Health-Minder medical summary could be faxed to sites s= uch as PersonalMD.com which store such files as part of a user=92s online database.  Health-Minder could, in future versions, also store downlo= aded medical records once the form these records will take is known.  But these two options provide mere redundancy in records, = not adding any new benefit to patients or doctors, and presenting pro= blems of keeping both sets of records current and in synch.  

 Ar= e there any advantages to maintaining offline Health-Minder records once online services= are widely available?  = Yes, for both technical and substantive reasons.  From a technical viewpoint, most users who access the Inte= rnet via 28.8 modems and telephone lines will find data entry to be a = slow and tedious process, thus limiting the amount of data you will wa= nt to enter and update. Typically, one to three questions are asked per= Web page, and after pressing SUBMIT, the user must wait for that data to be stored and a new Web page = to be presented. Entering or retrieving a whole family=92s medical info= rmation will be even more onerous.

 As= to record content, none of the online medical records yet allows storage of= as wide an array of information as Health-Minder does: work health h= istory, symptom diary, dietary and exercise habits, and more.  Nor do the online programs (or even other offline software= programs) link a diagnosis to all its relevant tests, treatments,= prescriptions, and various health care providers. Online services= , unlike Health-Minder, do not handle medical expense data or insur= ance claim information.  In general, then, online information is far less comprehensive and useful. These content issues are not easily resolved by online se= rvices because of the slowness of gathering and providing information on= line, the large databases that would be required for each online user, = and because the information from each individual is kept encrypted an= d isolated from that of other individuals, even those in the same f= amily.

  Is privacy of online medical records a concern? = ; 

The companies providing thes= e online services promise to use secure technology and encrypt the data so= that even their own employees can=92t read it. They also promise not t= o sell member lists, but will ask members if they want to be put on list= s to receive information on new products, clinical trials, or new trea= tments relating to their conditions.&n= bsp; The services will earn money by signing up patients for these lists a= nd by selling ad space from drug companies and other health services.  Legislation that would effectively enforce these pr= omises has yet to be enacted at state or federal levels. (See the = sidebar for links to web sites devoted to privacy issues.)=

I=

If you w= orry about insurance companies or employers gaining unwarranted access to= your records, online storage of sensitive data can wait until Cong= ress writes privacy regulations into law. If, however, you think putti= ng basic health information online would be useful for emergency use= , you may be interested in visiting these Internet sites.  Some are up and ready to go, others in a state of development, so revisit them from time to time.

 =

WebSi= tes for Online Medical Records

Abou= tMyHealth.Net (see preview tour)

Do= ctors will enter and maintain data. Patients can view their records us= ing a Web browser if they have an access code from their doctor. Schedule appointments, send doctor e-mail, request lab resu= lts or prescription refills..

<= b>Drkoop.com

Pa= tients enter own data. Temporarily disabled for improvements (8/31/99). = Page was listed under Health Resources as =93Preventionaire=94 a= nd gave tips for preventing illness based on your health informatio= n.

Health Compass

Pa= tient maintains health records. Schedule appointments with doctor= , request lab results or prescription refills.

<= b>PatientWeb

Do= ctor enters data. Not yet functional as of 8/31/99.

PersonalMD.com

=

Pa= tients enter own data now; doctor-maintained data may come later. Patien= ts