|
|
|
General Comments: Consumers Union (CU) submits these comments on the Department of Health and Human Services'(1) (DHHS) proposed rule regarding the Standards for Privacy of Individually Identifiable Health Information. CU recognizes the narrow applicability of these proposed rules in that they pertain to electronic records only. However, we believe that in the case of the standards for privacy of individually identifiable health information, the Office of the Assistant Secretary for Planning and Evaluation, DHHS, has attempted to protect consumers' medical privacy within the limits of its authority and resources. CU supports the Agency's efforts to propose these standardized regulations, and believes that DHHS' proposals encompass many of CU's own privacy principles that are essential to protect consumers.
The protection of consumers' medical privacy and full access to medical records for individuals are important concerns. Access to medical records allows patients to become more informed about their medical care. It also allows consumers to verify the accuracy of their medical records. Some courts have held that a right to inspect and copy the contents of individuals' medical records is a recognizable property interest that patients possess in their health information.(2) This right needs to be protected to avoid harmful disclosure of private, personal information.
A 1996 survey conducted by David Linowes, a senior policy adviser to the Institute of Government and Public, found that of 300 Fortune 500 companies, 35% said they considered an applicant's medical record data before hiring and promoting them. Two-thirds of the companies also revealed that they disclosed employee information to creditors who requested it. However, 44% of employees were not told how their records were being used. The survey further showed that only 48% of the companies allowed their personnel to correct or amend any information found in their records.(3) Such statistics highlight the importance of individuals having access to their records and having federal regulations implemented that protect their medical privacy. If patients are not given complete access to their medical records, employment decisions and other decisions that will directly affect them may be based on inaccurate information.
CU believes that any regulation which purports to protect medical privacy should provide consumers the right to amend and/or correct their health information. We firmly believe that health care providers and other holders of health information have a duty to maintain the confidentiality of individually identifiable health information and should be held accountable for protecting an individual's privacy interest.(4)
Americans support strong federally mandated protections for the privacy of individually identified health information. In 1993, a Lou Harris poll found that 97% of those who were surveyed, believed that protecting their medical privacy was important, and 36% found that it was "absolutely essential."(5) Another poll showed that 96% of Americans believed that rules should be implemented to state which individuals have access to medical records and the information that they can obtain.(6) Because of this well documented need, CU supports the Agency's efforts to propose these standardized regulations. Also, CU generally supports the Comments issued by the Health Privacy Project on the DHHS' Proposed Rule for the Standards for Privacy of Individually Identifiable Health Information.
Amendment or Correction
(' 164.516) Amendment and Correction.
Standard: Right to Request Amendment or Correction.
The regulations state that a covered entity may deny an individual's request for amendment or correction if it determines that the information that is the subject of the request (i) was not created by the covered entity; (ii) would not be available for inspection and copying; (iii) is accurate and complete.(7)
Recommendation: The "original creator of the information rule"(8) (Origination Rule) should be stricken from the final regulations because it does not reasonably balance the burden to covered entities with the protection of individuals' medical privacy.
Rationale: The Federal Privacy Act of 1974 (FPA) does not have such an Origination Rule pertaining to the amendment and correction of information it covers.(9) Consequently, the Origination Rule does not pertain to records of individuals who receive Medicare and Medicaid. Since there is no such requirement for public health insurance, there should not be a different standard set for private insurance. CU believes that enrollees of private insurance should have the same level of protection that Medicare and Medicaid beneficiaries enjoy.
The Comment states that the reason the Origination Rule was included in the proposed regulations was because to do otherwise would be unfair to providers and a great burden on them if they had to trace the source of erroneous or incomplete information transmitted to them. If the regulations did not have an Origination Rule, it would not be unfair or burdensome to covered entities. Quite the contrary, the Origination Rule appears to impose more burdens on covered entities than without it. Covered entities that participate in the Medicaid and Medicare programs must already adhere to rules established under the FPA. By including the Origination Rule, it is more costly for covered entities because of the administrative expenses they incur to maintain two separate systems.
The Origination Rule has a latent defect. It does not resolve the issue of what occurs to an individual's right to seek amendment and correction when the original record holder no longer exists. For example, who is to be held responsible to amend and correct the record if the original creator of the record goes bankrupt? Does the inaccurate information just remain on the individual's records because the record holder responsible for generating that information no longer exists? The potential for future problems is immense. This can be prevented only if the Origination Rule is stricken.
Recommendation: The regulation's definition of a covered entity in the context of amendment and correction should include business partners.
Rationale: The proposed regulations allow a covered entity to deny a request for amendment or correction on the grounds that it did not create the information. The regulation does not contemplate records created by a business partner, thereby ignoring a reality in today's healthcare industry and creating a loophole under which inaccurate information could be left uncorrected. Ostensibly, when an error by a business partner occurs, such as a billing service, no covered entity "created" the erroneous information. Since information was received from a business partner, who is not a covered entity, no one can be held responsible to amend or correct the information, and therefore the individual's rights are no longer protected.
The covered entity's written contract should require business partners to correct or amend information at the individual's request pursuant to the rights and procedures for amendment and correction outlined in ' 164.516. Also, if the definition of a covered entity includes business partners, then an affirmative duty will be imposed on business partners to amend and correct information. This affirmative duty should be applied to requests that are denied as well as those that are accepted.
Standard: Implementation Specification Procedures.
Recommendation: Covered entities should not be the sole judge of the proper amendment and correction procedures to be implemented by them. The regulations should follow the standards established in the Fair Credit Reporting Act (FCRA) in which an unbiased agency implements broad-based standards.
Rationale: A federal regulatory agency, not covered entities, should be responsible for developing the amendment and correction procedures that covered entities should follow. Under the FCRA, the Federal Trade Commission is responsible for implementing procedures in the case of disputed accuracy.
[I]f the completeness or accuracy of any item of information contained in a consumer's file at a consumer reporting agency is disputed by the consumer and the consumer notifies the agency directly of such dispute, the agency shall reinvestigate free of charge and record the current status of the disputed information…(10)
Covered entities have the potential to be biased, and may not implement full and fair procedures to handle discrepancies in individuals' medical record. As with the FCRA, it should be left to an unbiased regulatory agency to determine what procedures should be implemented.
CU believes that the FCRA is relevant in this context because it governs the accuracy of information contained in financial records, the importance of which is similar to medical information. The long-term effects for the individual if the information gets into the hands of the wrong parties can be profound. In the case of medical records, medical practitioners may base their decisions on inaccurate information that they find in the records. Also, medical records are even more important and sensitive than financial records because in the case of medical records a slight mistake may gravely injure an individual or threaten that person's life. Therefore, medical records should be afforded, at a minimum, the same level of protection that is given to financial records under the FCRA.
Recommendation: The time limits given to amendment and correction procedures should be narrowed and explicit.
Rationale: The regulations state that any action taken on any requests for amendment or correction should be done within 60 days of the receipt of that request. The Comment states that if a provider needs more than 30 days to make a decision, they can send an acknowledgment to the individual explaining the reasons for the delay.(11) In other words not only do covered entities have a long time period to act on requests, the covered entity has discretion to extend it indefinitely. This grants broad discretion to the covered entity that infringes on an individual's right to receive a reasonably balanced and fair system for requesting amendment and correction of disputed medical records.
The regulations should adhere to the standards implemented in the FCRA. It establishes a 30 day waiting period, with an extension period of 15 days allowed if the agency receives additional information that is relevant to the reinvestigation.(12) It is imperative to reiterate that individuals' medical records should receive the same level of consumer protections as that given to their financial records. At a minimum, the regulations should adhere to the FPA's time limits, which require there be a 30 day time period for reinvestigation and an extension for good cause. The Comment states that the proposal purports to conform to the FPA's standards for accuracy and completeness. We assert that the regulations should also at a minimum comply with the FPA's standards for timeliness. Again, we do not believe that there should be a higher standard for accuracy, completeness, and timeliness that applies to public health insurance (e.g. Medicare and Medicaid) through the FPA.
Recommendation: The regulations need to implement procedures that covered entities should adhere to when requests for amendment and correction have been accepted.
Rationale: Similar to the procedures proposed in the case of a request that has been denied, procedures should be applied for covered entities to follow when requests have been accepted. This would insure that individuals' claims are being dealt with in a speedy, uniform, and more efficient manner. It would not be beneficial to individuals if a covered entity decides that an amendment or correction is necessary, but then does not take the steps to make sure that the change is made in a way that is timely, accurate, and complete.
Recommendation: The covered entity should not be allowed to summarize an individual's statement of disagreement. No one else should be able to summarize an individual's statement of disagreement, but only to assist the individual with the summarization.
Rationale: The approach that the regulation adopts does not reasonably balance the burden on the covered entity with the protection of individuals' rights. The regulations state that the covered entity's procedures must,
[P]rovide for inclusion of the covered entity's statement of denial and the individual's statement of disagreement with any subsequent disclosure of the information to which the disagreement relates, provided that the covered entity may establish a limit to the length of the statement of disagreement, and may summarize the statement of disagreement if necessary. (13)
The Comment states that if the covered entity determines that the statement of disagreement is unreasonably long, then they may summarize the basis for the individual's dissent. In other words, it gives the covered entity the authority to sum up the dispute. This could potentially create a conflict of interest for the covered entity if, for example, the covered entity originally generated the disputed information. The process outlined in the proposed regulations places the individual at the mercy of the covered entity for accurately summarizing the basis for the individual's complaint.
The appeals process should be implemented by an outside agency, not an entity that could potentially have a financial interest in the information. As previously stated, under the FCRA,(14) the dispute automatically goes to the Federal Trade Commission, a neutral entity. The neutral agency in this case should also assist consumers in summarizing their claims. In other words, it should not be left to the covered entity to assist the individual with their summarization, and no one should be able to summarize the individual's position, but instead assist them. This procedure, used in the FCRA provides a heightened standard of fairness which protects individuals and is administratively less burdensome on covered entities because the federal agency, and not the plans, is responsible in administering the dispute.
Recommendation: The covered entity should not be allowed to provide a rebuttal to the statement of disagreement.
Rationale: The proposed regulations already provide the covered entity with a basis to be heard in the context of when a request is denied. It states, "[W]here the request is denied in whole or in part: (i) Provide the individual with a written statement in plain language of: (A) The basis for the denial;…"(15) Therefore, the rebuttal will only reiterate what has been clearly stated in the original denial, and would presumably already be on record. To then require another rebuttal would be administratively wasteful, and unfair to individuals who were only heard once.
June 30, 1999
Below are five general principles proposed for Consumers Union's medical records privacy policy. Each is followed by specific policies and, where applicable, issues to consider. Due to the constant change and evolution of privacy and confidentiality issues, the specific policies may be subject to revision or expansion to accommodate legislative and industry changes. The general principles however should serve as guidelines for new or revised policies.
The specific issues following some of the policies are questions for discussion and particular issues that may arise in certain situations.
Background information is provided in italics.
MEDICAL RECORDS PRIVACY PRINCIPLES
I. General Principle - Every individual has a privacy interest in their individually identifiable information given in connection with their health care.
II. General Principle - Individuals have the right to access and ensure accuracy of their own health information.
III. General Principle - Waivers of privacy interest should be clear and limited in scope to specific purposes
IV. General Principle - Protections should be in place to ensure that anonymized, rather than individually identifiable information, is used wherever possible
V. General Principle - Health care providers and other holders of health information have a duty to maintain the confidentiality of individually identifiable health information and should be held accountable for protecting an individual's privacy interest.
I. General Principle - Every individual has a privacy interest in their individually identifiable information given in connection with their health care.
A. Policy - Protections should guarantee each individual's privacy interest in their own identifiable health information.
Issue:
1. Dependent children's privacy rights - what limits on parental disclosure of individually identifiable medical information of dependent children?
II. General Principle - Individuals have the right to access and ensure accuracy of their own health information.
A. Policy - Every individual should have the right to read, copy, and supplement information contained in their medical records, although some limitations on access may be necessary, for technical reasons, e.g., cost and time involved in providing access to medical records, or for content reasons, e.g., highly sensitive information, such as certain mental health therapy notes.
Background - Currently, approximately half of all states have legislated a patient's right to view his or her own medical records.
Issues:
1. What are reasonable costs for patient access, e.g., copying costs?
2. Should provision be made to enable patients to understand medical jargon and observations contained in the records?
3. What are reasonable limits on patient access to medical records, i.e. burden on records holder, such as time within which to provide access?
4. How to define "highly sensitive information" to which access may be limited, e.g., when would reading mental health therapy notes pose a danger to the patient or others, issue of health plan's access to mental health therapy notes?
5. Patients should receive notice whenever medical records are moved to another provider, e.g., when medical facility closes.
III. General Principle - Waivers of privacy interest should be clear and limited in scope to specific purposes
A. Policy - Individuals should be given written notice in plain language of how their individually identifiable health information will be used and by whom.
Background - Information obtained in a medical encounter can be transmitted beyond the walls of the provider's office to many different organizations. The list of possible recipients of such information is extensive and includes: patient care teams, e.g., nurses, technicians, and other medical providers, billing and claims processing departments, medical records handlers and records storage companies, insurers, laboratories, imaging centers, pharmacies, quality management agencies, government oversight agencies, county, state, and federal health departments, and research institutions. Only with adequate notice of the uses of individually identifiable health information can individuals make meaningful informed choices about whether, and to what extent, to allow their health information to be used
Issues:
1. What obligation, if any, does the waiver seeker have to ensure that the patient understands the waiver form?
2. What obligation, if any, does the medical provider have to ensure that the patient understands the uses of individually identifiable health information?
3. What liability, if any, for failure to list all possible users of identifiable health information?
B. Policy - Individually identifiable health information relayed by the patient may not be transmitted to anyone else absent a signed waiver or written authorization by the patient. Exceptions to this rule may be warranted - for example, where a person's life is in danger, if there is a threat to public health, if there is a compelling law enforcement need, or between medical providers for treatment purposes.
Issues:
1. When and how frequently should patient waiver or authorization for use of identifiable information be obtained - at every medical encounter, for each provider, once a year, when the patient enrolls in a health plan, at every encounter for marketing purposes?
2. What if the patient refuses to waive the right to privacy? Can s/he be denied medical care? Yes, if the refusal restricts the medical provider's ability to provide care or prevents the collection of fees for service; but this raises problem of conflict with the Hippocratic oath not to refuse care.
3. Should patients be allowed to withhold individually identifiable health information for research purposes?
4. How to ensure that information is not being used for unauthorized purposes, e.g., for marketing purposes?
5. Law enforcement - even if no waiver required for criminal investigation, search warrant still required.
C. Policy - Disclosure of personal health information for marketing purposes should never be permitted without a specific waiver or authorization signed by the consumer for that specific use.
VI. General Principle - Protections should be in place to ensure that anonymized, rather than individually identifiable information, is used wherever possible
A. Policy - Public records should be made available for legitimate public use so long as any individually identifiable information is removed.
Background - Numerous government agencies hold public records and data that contain individually identifiable health information on individuals. These records can be useful to consumer advocates for monitoring regulatory activity. Under ordinary circumstances, public records should be accessible with individually identifiable information removed. Recently, however, the Southwest Regional Office was denied access to records of the Texas Department of Insurance on the ground that the records contained confidential medical information and, therefore, could not be released. The SWRO sought these records in an effort to monitor TDI handling of consumers' complaints concerning managed care organizations. The fact that government records contain individually identifiable health information should not be a barrier to public viewing if the identifiers are removed.
Issues:
1. What are costs to government agency of removing identifiable information?
2. Inter-governmental agency sharing of individually identifiable health information - what limits and restrictions, what waiver provisions?
3. Require government agencies to maintain individually identifiable health information in a format that allows easy removal of identifying elements.
B. Policy - While protecting individual privacy rights, legislation should not impede important public health efforts or clinical, medical outcomes, or quality of care research.
Background - Anonymized data, stripped of any personal identifiers but often retaining a unique patient identifier, is frequently used for academic research, public health purposes, disease tracking, regulatory audits, industry cost studies, and quality initiatives. Use of anonymized data can help ensure individual privacy without hindering these other important efforts.
Issues:
1. Should "opt-out" be available to the patient for anonymized data, recognizing that patient option to withhold consent could cause significant reliability problems for medical research?
2. Need to further define "anonymized" data, e.g., whether unique patient identifier is used, is it aggregate data, can it be matched (and de-anonymized) with census or voting data (age, address, gender) for marketing purposes?
V. Health care providers and other holders of health information have a duty to maintain the confidentiality of individually identifiable health information and should be held accountable for protecting an individual's privacy interest.
A. Policy - Every health care provider and any other person to whom information is given in connection with health care has a duty to protect the privacy interest and maintain the confidentiality of individually identifiable health information.
B. Policy - Entities holding identifiable health information in any form should be required to institute and comply with appropriate security safeguards to protect individually identifiable health information from unauthorized use or disclosure.
Policy - Penalties for inappropriate use of individually identifiable health information should include strong and enforceable civil and criminal sanctions, including a private right of action.
Background - Currently there are limited remedies or penalties for unwaived disclosure of individually identifiable health information. Some states have medical records privacy laws which set forth civil penalties for violations.
D. Policy - Any federal legislation enacted concerning medical records privacy should set a rigorous standard for privacy practices by organizations that gather or use medical information.
______
Footnotes
(1) Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 427 (1999) (to be codified at 40 CFR pts. 160-164) (proposed Oct. 29, 1999).
(2) Bartley L. Barefoot, Comment, Enacting a Health Information Confidentiality Law: Can Congress Beat the Deadline? 77 N.C.L. Rev. 283 (1998).
(3) David F. Linowes and Ray C. Spencer, How Employers Handle Employees' Personal Information: Report of a Recent Survey. 1 Empl. Rts. & Employ. Pol'y J. 153 (1997).
(4) Please see attachment of CU's Medical Privacy Principles.
(5) Patricia I. Carter, Health Information Privacy: Can Congress Protect Confidential Medical Information in the "Information Age"? 25 Wm. Mitchell L. Rev. 223 (1999) (citing Louis Harris &Assoc. Poll, Nov. 1993, available in WESTLAW, POLL database, File USHARRIS.93PRIV RC01C).
(6) Id. (citing Louis Harris & Assoc. Poll, Nov. 5, 1993, available in WESTLAW, POLL database, File USHARRIS. 110593 R3A.
(7) Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 427 (1999) (to be codified at 40 CFR pts. 160-164) (proposed Oct. 29, 1999).
(8) Id at ' 164.516(a)(2)(i).
(9)5 U.S.C.S. ' 552a (1999).
(10) Fair Credit Reporting Act, 15 USC ' 1681i (1997).
(11)Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 427 (1999) (to be codified at 45 CFR pts. 160-164) (proposed Oct. 29, 1999).
(12) 15 U.S.C. ' 1681i (1997).
(13) Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 427 (1999) (to be codified at 45 C.F.R pts. 160-164) (proposed Oct. 29, 1999).
(14) 15 U.S.C. ' 1681i(b) (1997). "If the reinvestigation does not resolve the dispute, the consumer may file a brief statement setting forth the nature of the dispute. The consumer reporting agency may limit such statements to not more than one hundred words if it provides the consumer with assistance in writing a clear summary of the dispute." (emphasis added).
(15) Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 427 (1999) (to be codified at 45 CFR pts. 160-164) (proposed Oct. 29, 1999).
