press release

Comments to Final Rule on
Standards for Privacy of Individually Identifiable
Health Information

March 30, 2001

Frank Torres
Consumers Union
1666 Connecticut Avenue, N.W.
Suite 310
Washington, D.C. 20006
202-462-6262

Consumers Union concurs with other privacy and health organizations that the Final Standards for the Privacy of Individually Identifiable Health Information, 65 FR 82462 (December 28, 2000) is a significant step towards restoring the public trust and confidence in our nation's health care system. The rule should not be scrapped or delayed. If changes are made to the rule those changes should strengthen, not weaken, the medical privacy protections.

INTRODUCTION

The Department of Health and Human Services (the "agency") was directed by Congress to develop and implement rules to protect the privacy of Americans' health information. The rule followed normal rulemaking procedures. All interested parties had ample opportunity to provide comment. In fact, the comment period was extended to provide additional time to submit views. The comments were given due consideration and a final rule was published. The agency has now used a procedural technicality to reopen the rule for additional comments.

Critics of the rule are urging the agency to scrap the rule or otherwise delay its implementation. If the rule moves forward, the agency is being urged to weaken it by taking away the rights of patients to consent to the sharing of their information, denying patients the right to access their own records, creating larger loopholes in the rule, and allowing holders of medical information to share their patients' data with others without any responsibility or accountability.

But nothing has changed since the rule was finalized that diminishes the need for strong medical privacy protections. Medical information continues to be used for inappropriate purposes. The rule itself highlights a number of cases where private medical information was released for profit and marketing purposes - completely unrelated to the treatment of those patients. A recent USA Today editorial further highlights the consequences of a failure to protect medical privacy - an employer firing an employee when they got the results of a genetic test; release of medical records to attack political opponents; and hackers getting access to health records from a major University medical center (USA Today, March 20, 2001).

Patients should not be put in the position of withholding information or even lying about their medical conditions to preserve their privacy. Those seeking medical treatment are most vulnerable and should be allowed to focus on their treatment or the treatment of their loved ones, rather than on trying to maintain their privacy. It is unfair that those citizens must be concerned that information about their medical condition could be provided to others who have no legitimate need to see that information.

Since the substantive issues related to the rule have been vetted, these comments examine and respond to the criticisms of the rule and highlight important provisions that should be kept or strengthened.

CRITICISM OF THE RULE IS OVERBLOWN

None of the arguments against the rule is as compelling as the legitimate and pressing need to allow patients to keep their most private and sensitive information from being released or shared with others.

The rule is not unreasonable, unfounded, or far-fetched: The rule is simple.

· Patients are told in plain English how their medical information is used, kept and disclosed.

· Patients are allowed to see their medical records and get copies of those records if they want. Patients are also allowed to have inaccurate information corrected.

· Patients are allowed to consent to the disclosure of their health information in most circumstances, including non-medical or non-treatment related purposes. Companies should have to defend their reasons for wanting access to that data. If those companies are unable to convince patients to consent to the use of their information, they should not be able to circumvent the patient's choice.

· The rule limits the use of an individual's health information to health purposes only with few exceptions.

· The rule says that hospitals and other providers must adopt privacy procedures, train employees about those procedures, and provide a process if those procedures are violated.

· The rule holds the hospital and other health care providers accountable if patient health information is misused.

Concerns about Costs are Misplaced: It is wrong to put commercial interests ahead of the patients interests. The privacy concerns of patients are more important than the wishes of special interests not involved in patient treatment who want access to individual patient's medical information for their own gain.

Therefore, the agency's concerns about the costs are misplaced. The agency assumes that the companies who want access to this data have a right to it, rather than focusing on what should be the agency's primary concern - to protect patient privacy. If costs are a concern, then the agency should simply ban the sharing of information for non-medically related purposes. No one is forcing any entity to share patient data for non-medically related purposes. If those entities do not want to be burdened with obtaining a patient's consent, then they can simply choose not to share the information at all.

The agency should not put marketers' revenue-generating activities ahead of citizens' rights to keep their most personal information - their health information - private. The same companies who seek to void, delay or weaken citizen privacy rights enjoy trade secret laws to protect their own proprietary information.

Increasing the Security of Health Data is Not a Complete or Adequate Solution: Simply making the databases of medical information more "secure" will not provide the full protection that is warranted. Securing databases may help prevent intrusions by computer "hackers," but those efforts will do nothing to prevent commercial interests from obtaining medical information. While "hackers" are a concern, a greater intrusion by others should not be legalized. In fact, the agency would do harm by erroneously claiming that patient privacy is protected merely by calling for "security" measures if it then allows for patient information to be widely shared for commercial and non-medical reasons without the patient's knowledge or consent.

Critics' arguments have little merit: These are simply a smoke screen to prevent the protections from moving forward. The rule provides flexibility in its interpretation and allows the agency to consider legitimate concerns raised about implementing the rule, without undoing the entire rule or rolling-back provisions needlessly.

Everyone should be clear on what the rule does not do:

· The rule only requires that reasonable safeguards be used. Hospitals will not have to erect soundproof walls, as some critics have charged.

· The rule is flexible. People will still be allowed to pick up prescriptions for family members. If further clarification is needed, the rule allows the agency to simply issue guidance. Because the agency is allowed to act if needed, this issue and similar issues can be resolved without weakening or delaying the rule.

· The rule allows information sharing for treatment purposes. The quality of patient care will not suffer. In fact, by increasing trust between the doctor and patient, the rule will likely increase the quality of care.

COMMENT SUMMARY

The agency should reject efforts to further delay implementation of the rule and instead enforce the rule. Critics of the rule have not justified any reason to delay implementation of the rule. Either the rule is flexible enough to address their concerns, or the agency is given the authority to offer guidance in those instances. Moreover, the need for protections is compelling and the privacy of citizens outweighs objections by an industry that is seeking to obtain information for profit-driven purposes.

The rule, in general, should be preserved. Any future changes should be to strengthen the rule, not weaken it. The rule sets reasonable standards for the protection of medical privacy. Without such restrictions on the use and sharing of medical information, especially for non-treatment-related purposes or non-medically related purposes, patient trust in the health care system could erode. Key provisions of the rule should be preserved, like consent, notice, and access. Other provisions should be improved, like the exceptions for marketing. It should also be made clear that treatment should never be conditioned on consent to share medical data for non-treatment purposes.

DO NOT DELAY IMPLEMENTATION OF MEDICAL PRIVACY SAFEGUARDS

Delaying the Effective Date Is Unwarranted - Section 164.534

The current effective date of the final rule should be maintained. When Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) it mandated that the regulations governing the privacy of health information be promulgated by February 2000. More than a year later regulations have not been implemented. Both the law and the rule were subject to intense scrutiny and debate. HHS extended the initial 60-day comment period by and additional 45 days. As a result more than 52,000 comments were received on the proposed rule.

HHS made many significant changes to the rule to accommodate the concerns raised by the health care industry and pharmaceutical companies. HHS has already relaxed the "business partner" provisions, scaled back restrictions on marketing and fundraising activities, and eliminated certain liability provisions.

The bottom line is that an individual's health information should be used for health purposes only. A cost/benefit analysis of ensuring such use limitations, especially one that considers the cost to those who want to use the information for marketing purposes is completely inappropriate. Cost of not having data that they should never be given access to.

Information can be used for other purposes provided the patient's consent is obtained. This is right and fair. The first priority must be providing health care in an atmosphere of trust, not one in which the patient is put at a disadvantage for sharing important health information. Patients should not have to withhold vital data in order to protect their privacy.

KEY PROVISIONS OF THE RULE SHOULD BE PRESERVED

Health Information in Any Format Should Be Covered - Section 164.501

HHS has the authority to regulate a broad range of health information and is justified in including health information in electronic, oral and written formats. Limiting protections to electronic records will provide an incentive to merely keep records on paper and then share that data.

New Patient Right Must Be Preserved - Sections 164.520, .522, .524, .526, .528, .530, .306

New patient rights should be preserved, not weakened. These new rights include notice, access, and accountability. These will allow patients access to their own health information, protect them from the inappropriate disclosure of that information, promote the accuracy of the information on which decisions are made, and provide for the filing of a complaint when things go wrong. Other rights are also important to consumers.

Notice (Section 164.520): The rule was actually changed to allow for notices to include information practices that may be made, rather than the entity's actual expected practices. This should make it easier to comply with the notice requirements, while making the disclosures more complex for consumers. If notices are made in "plain English" they may well help foster better understanding among patients and increase confidence in the health care system.

Access and Correction (Section 164.524, Section 164.526): Consumers Union supports giving patients the right to access their health information so that they can make informed decisions and correct errors where appropriate. The rule allows for access to be denied for certain circumstances. The rule also allows patients the ability to amend their files under reasonable circumstances. It is ironic that the critics of the rule would make it harder for patients to see their own records while giving marketers unfettered access to those same files.

Accountability (Section 164.528): It is reasonable to make those holding medical information accountable for the disclosure of that information to others. The accounting provisions are narrowly tailored to reduce the burden on covered entities. The provision should be expanded to cover disclosures made for treatment, payment, and health care operations.

Restrict Disclosures of Health Information for Non-Treatment Reasons to Business Associates - Sections 164.502, 164.504

It is proper to place responsibility on covered entities to ensure that their business associates will properly safeguard protected health information before disclosing the information. Covered entities should not be able to get around the rule by contracting with third parties. One way to avoid any potential burden is simply not to share any patient data with a third party.

Preserve Incentive for De-Identification - Section 164.514

The de-identification provision places that form of information outside the scope of the rule. This way, marketers or researchers could access information that might be useful or valuable to them without intruding on individual patient's privacy. The provision, however, is not an absolute bar to the use and disclosure of individually identifiable health information for research or other purposes.

Preserve the Minimum Necessary Standards to Limit the Use and Disclosure of Health Information - Sections 164.502 and 164.514

It is reasonable to limit the information that is shared for a given purpose to the information that is deemed necessary. This should not impede on a patient's ability to receive quality care. The provider is able to create its own policies as to what type of information is necessary. It is likely that for many purposes the provider might allow access to the entire patient file, but for other functions such access is neither necessary nor appropriate. Health care providers are allowed to make those determinations.

Protection of Privacy Will Help Research - Section 164.512

The rule places reasonable parameters on the use of patient data in the context of medical research. Use of data for research purposes is allowed. There must, however, be assurances that the information will not be reused or disclosed to any other person or entity. Researchers should be accountable for safeguarding the information they collect.

Holders of Data Should be Accountable for Their Use and Sharing of the Data - Section 164.530

It is reasonable to establish mechanisms for ensuring that patient privacy is protected. The rule takes a very balanced approach by being flexible and scalable. It is not unreasonable to expect that a covered entity establish policies and provide training to their personnel on how to comply with the rule. Moreover, the rule specifically states that the regulation merely requires covered entities to "reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards.

THE RULE SHOULD BE IMPROVED

Marketing and Fundraising - Sections 164.501, .506, .513

New provisions in the final rule could mean that third parties could gain access to private health records for non-treatment purposes. Information should not be allowed to be used in this manner without authorization from the patient. An after-the-fact opt-out is insufficient because the information would have already been disclosed. At least, patients should be allowed to opt-out before the information is shared.

Consent Requirement Should Be Expanded - Section 164.506

The rule requires that a health care provider obtain a patient's consent before using or disclosing protected health care information. While we believe that this provision should be extended to cover other entities, such as health care plans, the provision is important.

Some concern has been raised about this provision. The rule does provide that a health care provider may without prior consent use or disclose protected health information in emergency treatment situations and in circumstances where the provider is unable to obtain prior consent due to substantial barriers to communication with the patient. Other issues can be remedied through HHS guidance, like clarifying the definition of indirect treatment relationship to specify the picking up of prescriptions. Fine tuning the regulation in these types of instances does not justify delaying the effective date.

CONCLUSION

Delaying or weakening the rules at the behest of industry means that the agency places the interest of third parties ahead of those of the patients. Consumers Union urges the agency to move forward with implementing these important safeguards.

____

Notes:

(1) Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health, and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. In addition to reports on Consumers Union's own product testing, Consumer Reports with approximately 4.5 million paid circulation, regularly, carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union's publications carry no advertising and receive no commercial support.