By Frank James
July 17, 1999
WASHINGTON -- The privacy of Americans' medical records, already eroding in the age of vast computer networks, is threatened with further deterioration because of moves by Congress and the administration, experts say.
Activity in the nation's capital this week focused on competing patients' bill of rights legislation to reform health maintenance organizations, with the Senate approving the Republican version Thursday. But one of the most important patients' rights, medical confidentiality, was not part of that debate.
Legislation has advanced in Congress that some experts say has loopholes that would make it easier for people with commercial or other interests to view nearly anyone's medical records. Meanwhile, legislation designed to provide comprehensive privacy protection has stalled.
The Clinton administration has also threatened medical privacy with its policies, privacy advocates said. For instance, for ostensibly good reasons -- trying to improve health-care quality -- the government has greatly expanded its own collection of medical information on millions of Americans.
On Monday, new federal regulations will be implemented that require health-care workers to collect expanded medical and personal information about home health-care patients. The rules were amended after some experts warned that collecting such extensive information violated individuals' privacy rights.
Some privacy proponents argue the move is an ominous step toward the government creating medical dossiers on everyone. Taken together, the advocates see these trends as a huge threat to the confidentiality of medical records.
They are most alarmed by a medical confidentiality provision in an important piece of financial-industry reform legislation recently passed by the House. The bill has not been approved by the Senate. Introduced by Rep. Greg Ganske (R-Iowa), a Harvard Medical School- trained plastic surgeon, the bill's privacy language is shot through with so many loopholes, critics say, that it would be a privacy nightmare. The unintended consequences, they say, would give companies a nearly free hand in how they used Americans' intimate medical information.
The way the provision is written, an insurance company or its affiliates could share a customer's sensitive medical information with a credit-reporting company without the customer's knowledge or consent, said Janlori Goldman of the Health Privacy Project, a Washington-based group.
Or, Goldman said, if a drug company became an affiliate or subsidiary of an insurer, there would be no limits on how the drug firm could use individual medical information it obtained from the insurer and no control over the drug company if it chose to further disclose a patient's medical information.
The provision does not require law-enforcement agencies to get a warrant before gaining access to medical records.
"To allow for such widespread, uncontrolled sharing of information between insurers and all of their affiliates and subsidiaries, to financial companies, to credit-reporting companies without permission, without consent, without a remedy (such as legal action), to law enforcement without any kind of limit, it's outrageous and it's not what the public wants," Goldman said.
"It makes people pay a terrible price for getting insurance, for opening a bank account, for applying for a mortgage," Goldman said. "The price of doing those absolutely fundamental things should not be that you give up privacy and that your life is an open book to all these industries."
Barbara Levering, Ganske's spokeswoman, defended the provision, saying the congressman merely sought to provide some protection to patients who are also consumers in the changing world of financial services. Many companies that obtain health information from customers -- insurers or banks, for example -- traditionally kept such information private, but are now joining forces.
Levering said the fact that some groups, such as Blue Cross-Blue Shield and the Health Insurance Association of America, oppose the legislation is indicative that such legislation is needed.
Both groups wrote Ganske to say they dislike the provision. "They'd just as soon have nothing," Levering said. The groups called the provision "critically flawed."
The Ganske provision is meant to become obsolete upon passage of a comprehensive medical privacy bill. The Health Insurance Portability Act enacted in 1996 required Congress to pass such a law by Aug. 21, 1999.
The law passed three years ago envisioned the need for medical records to be converted from paper to electronic files, which would make them easier for health-care providers to exchange via computer networks, thereby encouraging health insurance portability. Electronic records dictated the need for a strong federal law on privacy because computerization meant an individual's health files could be linked to create a seamless, cradle-to-grave history.
But congressional efforts have faltered, with the Senate Committee on Health, Education, Labor and Pensions unable to move such legislation forward. The deadline is a little more than a month away and, if Congress does not act, the Department of Health and Human Services will have authority to issue privacy regulations.
Privacy advocates don't like that option, noting that only Congress can give Americans the right to take legal action for privacy violations.
And, unlike Congress, the administration could not write comprehensive rules, only regulations covering electronic records. Those comprise just 5 percent of current medical records.
The health-care industry also wants the issue to remain with Congress, where the industry exerts powerful influence.
"We want federal legislation that's going to create federal rules on this, federal guidelines and prohibitions on disclosure for the kinds of things the privacy folks are worried about," said Alan Mertz, acting president of the Healthcare Leadership Council in Washington.
"We, of all people, want our patients to have trust in the health-care system that their information will be kept confidential," Mertz said. "We need this legislation that balances the goals of having the information kept confidential but at the same time allowing it to be used for what I think the vast majority of Americans would believe are legitimate uses."
Earlier this year, the administration set off medical privacy alarms when it issued proposed rules for its Outcome and Assessment Information Set, or OASIS, project. As part of the program, home-health- care agencies were to collect personal, medical and financial information about patients, data to be forwarded first to state officials and then the federal government.
The Health Care Financing Administration, which oversees Medicare and Medicaid, said the information was essential for monitoring the quality of care. But privacy advocates were concerned by the intrusive nature of the information the government wanted nurses and other health-care workers to gather. The government wanted to know, for instance, whether a patient had a "sense of failure," depression, anxiety, suicidal thoughts or exhibited "socially inappropriate" behavior. Amid protests, the government made some changes and improved its security plans.
"These revisions strengthen the privacy protections for vulnerable home health patients while allowing us to better assure the quality of care that they receive," said Dr. Jeffrey Kang, director for the Office of Clinical Standards and Quality within the Health Care Financing Administration.
But Twila Brase, president of the Citizens Council on Health Care, said the program is a step toward creation of health dossiers on every American.
"The public doesn't understand what HCFA intends," said Brase, whose
Minneapolis group champions medical privacy. "Once this is implemented
in home health, that will be precedent-setting. Then it will be expanded
to all other health-care settings. People have no idea the extent of the
data being collected on them and saved."