Vol. 15, No. 27 -- July 26, 1999
Published Date July 2, 1999, in Washington, D.C. http://www.insightmag.com
By Aimee Howd
Americans' medical records no longer are secure, and four health-care bills recently proposed in Congress may not go far enough in restoring encroached privacy rights. It once seemed to be Orwellian fiction, but no more. At the turn of the millennium at least four bills dealing with loss of medical privacy are being considered on Capitol Hill, and intense bureaucratic debates are occurring within the Department of Health and Human Services, or HHS. There is reason for this concern.
Take smart cards. Databases. Highly personal information. Mix these with federal mandates, the perception of invaded privacy and billions of dollars' worth of corporate interests -- and the result is a combination hot enough to ignite a technological, political and philosophical firestorm.
How can public health be served and personal privacy preserved? Thirty-four months ago, in the Health Insurance Portability and Accountability Act, or HIPAA, Congress gave itself a deadline for coming up with an answer. But as the weeks count down toward the Aug. 21 day of reckoning, there is no consensus. Left to flame unchecked, even the best aspects of technological progress and data collection -- with their promises of reduced costs and administrative simplification -- appear to have made vulnerable Americans who once felt their privacy was shielded by firewalls of civil liberty.
Awaiting action in committee are the Health Care Personal Information Nondisclosure Act of 1999 (S578), introduced by GOP Sen. Jim Jeffords of Vermont and Democratic Sen. Christopher Dodd of Connecticut; the Medical Information Protection Act of 1999 (S881), introduced by Utah Republican Sen. Robert Bennett; and the Medical Information Privacy and Security Act (S573/HR1057), introduced by Democratic Sens. Patrick Leahy of Vermont and Edward Kennedy of Massachusetts.
Occasionally there is talk of an emergency move to push back the deadline, but the clock is ticking. If the deadline passes without congressional action, the responsibility for crafting regulations to protect these medical records will fall to the Clinton administration's HHS, headed by Secretary Donna Shalala. So plans already are in the works.
But privacy advocates are not happy with the executive recommendations, the legislative plans or the bureaucratic proposals -- all ostensibly formulated to preserve medical privacy. While packaged under labels of patient protection to lull public outcry, they say, the proposals cater to the interests of government research and the growing public-health industry.
After reviewing the most recent draft of the Jeffords legislation, which
is seen as the markup vehicle most likely to move out of the Senate Health,
Education, Labor and Pensions Committee, Sue Blevins of the Institute for
Health Freedom has concerns. "What appears to be coming is not just the
collection of a paper record that says, for example, 'John Doe is an alcoholic,'
but [the chairman's markup is] talking about authorizing actual collection
of blood, sperm and possibly a single cell," she says. "It looks from the
chairman's marks that you're told you need to give informed consent for
the use of your medical records, yet in order to get health insurance you
are coerced into forfeiting your informed consent. In addition, research
organizations are not necessarily required to get your informed
The Jeffords bill was derailed earlier this month in a disagreement about whether patients whose medical records have been misused should have a right to sue and for how much, and over who should have access to juvenile medical records, says Jeffords spokesman Joe Karpinski. "Jeffords felt we should not go forward with the markup due to the likelihood of losing bipartisan support," Karpinski tells Insight. Other issues, such as whether federal law should preempt state laws on these matters, are even more controversial.
"There are issues out there that are more important than whether an individual will be allowed to sue for unauthorized access to records or who will have access to the records of minors," says medical-privacy expert Twila Brase of the Citizen's Council on Health Care. "The important issue for the public is that this bill does not protect confidentiality."
Partisans of the policy counter that many of the concerns of privacy-rights advocates are out of touch, that in today's integrated health-care system the old concept of privacy is in the way of scientific expansion, high-quality care and patients' need and expectation of high-speed service. "The problem is that health information flows now without patients being aware of it. And, a totally voluntary system wouldn't work. I mean, every time you submit a claim or request treatment, that is information about you going to your provider. Also, certain public-health needs, such as tracking AIDS and other [sexually transmitted diseases], need personal information to do their job," says Karpinski. "Also, some providers use personal information to operate preventive-care programs that a person would not be able to access if they restricted their records."
Traditionally the right to privacy in health care meant securing the patient's choice of how much medical information could be shared and with whom. From the "Oath of Hippocrates," written in the fourth century B.C., physicians proclaimed: "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets."
Has such medical privacy gone glimmering? According to a Congressional Research Service study, during an average hospital stay in 1996, a patient's records were seen by at least 400 people. That year, reports the National Research Council, the health-care industry spent an estimated $10-$15 billion on information technology. And the people who see these detailed records are not necessarily involved directly with providing health care. They range from employers, insurance companies and government agencies concerned with cutting costs to marketers of pharmaceutical or insurance products hoping to increase their profits and to researchers of all kinds.
"The patient's expectation that information supplied to a physician is confidential may no longer be realistic," says a Congressional Research Service report updated this spring. "Concerns are increasing that, if patients believe their records are not confidential, they will no longer provide physicians with information potentially important for effective treatment."
The 1997 HIPAA legislation requires health-care providers to standardize
and electronically process claims, enrollment activities and verification
of insurance eligibility as a part of administrative simplification. While
it did not formally set up databases or require standardization of clinical
data, it opened the door for such
activities, highlighting what privacy advocates see as an urgent need to legislate privacy of electronic medical records.
Paul Cheng, the chief health-care finance officer for Union Health Center,
was one of the authors of the administrative reduction and simplification
language that was part of failed health-care reform legislation in the
early 1990s, which later was attached to the doomed Clinton health-care
plan before getting life in the HIPAA regulations. He tells Insight that
Congress has "taken a very simple idea and turned it into a very complex
bureaucratic nightmare.... Now what you have
is everybody trying to get everything into an electronic format without trying to simplify matters."
Cheng still favors standardization as a way to cut health-care costs but says, "I personally worry. I have health problems. It's none of someone else's business to know what kind of health problems I have."
Not Such an OASIS
Congressional attempts to legislate medical privacy may be at a standstill, but OASIS, a mandate for invasive bureaucratic data collection, has been fitted with a pair of Seven League boots and is heading for the finish line.
In a dramatic extension of its powers, the Medicare-governing Health Care Financing Administration, or HCFA, is requiring all home health-care recipients to submit to collection of 19 pages of information on their personal lives, including patient history, living arrangements, finances, psychological profiles and everything from sexual behavior to use of profanity.
The initial measure was withdrawn for revision in April after a public outcry but is scheduled to be reinstated on July 19.
"The public must not be deceived," warns Twila Brase of the Citizens' Council on Health Care.
"HCFA has not made any significant changes to the OASIS system as a result of public outcry. OASIS will initiate a federal database on all citizens. The data set is exactly the same as before. The mandate to collect and transmit still stands."
Transfer of data to HCFA's database will begin on Aug. 24. Although the revised rules promise that names and Social Security numbers of health- care users will be masked, their addresses, ZIP codes, medical-record numbers, dates of birth and gender will remain completely open to tracking. And this won't affect only Medicaid and Medicare patients. Because the goal is to make sure that Medicare patients receive the same quality of care as the general population, all home health-care patients will be included, even if they pay cash for services.
Public comments may be addressed to HCFA according to instructions found
in the June 18, 1999, Federal Register, p. 32992, or on the Web at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1999_register&docid=99-15530.