More MS news articles for February 1999

Health providers sound privacy alarm

New federal rules require massive personal data


By Jon E. Dougherty
© 1999

Medical professionals have begun sounding the alarm over new federal regulations which they say constitute a huge and egregious violation of a patient's privacy.

Federal and state government agencies have developed a new home health-care tracking system that is about to be introduced for all patients receiving any type of home health assistance.

According to one group monitoring the progress of the new Health and Human Services Department rules, the tracking system will require that all private Home Health Agencies be licensed and comply with the new federal guidelines as a requisite to receiving any form of public funding (such as Medicare and Medicaid).

There are 105 pieces of information that will be collected from patients, occurring a minimum of four times during a patient's receipt of health care services. This standardized data system is called, "Outcome and Assessment Information Set" (OASIS), and it includes a patient's Social Security number, lifestyle, demographics, patient history, living arrangements, supportive assistance, sensory status, respiratory status, elimination status, mental state, behavioral status, activities, medications, productivity and quality of life items. All of this information will be transmitted electronically to a respective state database, which will be summarily linked to a centralized federal database.

One nurse has reported that she had been instructed also to report anything in a home that could be construed as a "health hazard," such as a weapon, though this requirement is not plainly evident in the list of requirements.

Twila Brase, a registered nurse and president of Citizen's Council on Health Care, released a memorandum Feb. 11 expressing concern about the privacy aspect of the new regulations. She included documentation from two other home health care providers and administrators who presented CCHC with the results of a study they did on the details of the proposed rules.

According to the memorandum, both were most concerned about patient privacy.

They told CCHC in a written communiqué that the rules will consist of two main features. If enacted, the new policies will "establish a prospective payment system (required by the Balanced Budget Act of 1997) using reliable outcome and case-mix adjustment data." Secondly, the regulations claim "broad-based, measurable improvement in the quality of care furnished through federal programs."

The 105 OASIS data set was developed, tested, and refined for the past 10 years through research conducted by the Center for Health Services and Policy Research at the University of Colorado. The Brase memorandum said the federal government, the Robert Wood Johnson Foundation and, most recently, the state of New York funded the research.

The memorandum said regulations "require collection of OASIS data items on all non-maternity patients age 18 and over that receive health services from Medicare-certified home health agencies, regardless of the payment source." In other words, even if a patient is paying for their medical care out of their own pocket, if they are being taken care of by an agency that accepts any Medicare payments at all, the data must be collected.

Also contained in the OASIS assessment is data which specifically identifies each patient, such as name, date of birth, and Social Security number, as well as Medicaid and Medicare numbers. Included are over 80 personal and clinical items.

Worse, there are no provisions within the rules that require a patient's knowledge or consent to have their personal and medical information sent to state and federal agencies. And there are no specific consequences mentioned for any patient who refuses "to give consent for broad and open-ended medical records release and storing of identifiable information."

Brase's memorandum also said that specific points of a patient's private life would be electronically catalogued by the government, which breaches "the confidential physician-patient relationship" and leaves "privacy in jeopardy of invasion."

While the sources who contacted CCHC believe a system similar to this one is needed to improve overall public health, "the intent can be easily met --without including patient identifiable data linked with the clinical assessments."

The memorandum study concludes that Section 4602(e) of the Balanced Budget Act of 1997 authorized the HHS Secretary Donna Shalala "to require that HHA's submit any information that the secretary considers necessary to develop a reliable case mix." But, critics maintain the patient identifiable information is not necessary to develop a case mix system or for outcome based quality improvement. Only results are needed; it's not critical that the information be tied to specific patients, especially in a database that can be accessed illegally through computer hacking.

"There is absolutely no reason to have patient identifiers linked to detailed clinical assessments" in order to satisfy the conditions of the OASIS regulations, the memorandum said.

As far as she knew, Brase said, "This is the first time the government has required this kind of database, where the patient's information gets sent directly to Washington."

"Anytime you receive government health benefits," she added, "ultimately, you lose your right to privacy. But in this case, you lose it if you use any home health care -- even if you pay cash or have private health insurance."

Brase said there were "some discussions" currently underway that would require home health providers to ask a patient to consent to having their personal information electronically stored in state and federal databases. "But if they decline," she said, "then they are told to go see a non-Medicare provider, of which there are few."

See Jon E. Dougherty's daily column. He may be reached through E-mail.

© 1999 Western Journalism Center