![[Join EFF]](/Icons/home/joineff.gif){kind=icon}
![[Act Now]](/Icons/home/actnow.gif){kind=icon}
![[Sign Up]](/Icons/home/signup.gif){kind=icon}
![[About EFF]](/Icons/home/abouteff.gif){kind=icon}
February 16, 2000
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
U.S. Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201
RIN 0991-AB08
Dear Assistant Secretary:
We are writing today on behalf of the undersigned public interest organizations: Deborah Pierce, staff attorney for the Electronic Frontier Foundation (EFF), Beth Givens, Director of the Privacy Rights Clearinghouse, and Lisa Dean, Vice President for Technology Policy of the Free Congress Foundation to comment on the Department of Health and Human Service's (HHS's) plan to implement standards for the privacy of individually identifiable health information.
While we are pleased to see that HHS is proposing to adopt fair information practices guidelines with regard to medical records and to limit disclosure of personal medical information, we believe that the proposed regulations are too biased in favor of business and governmental desires at the expense of the privacy of individuals. We therefore recommend that the proposed standards be redrafted in order to put in place better privacy protections for individuals with regard to their medical records.
Congress failed the American people when it first passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This law included a requirement for a national health identification scheme. Congress failed the American people again when it failed to pass privacy requirements on the use and collection of personal medical information by its self-imposed deadline of August 21, 1999. Left unchecked, unique health identifiers will become a de facto national identification system, an idea that is fiercely opposed by the majority of the American people.
In the last year alone, we have seen the federal government abandon several attempts to impose a national identification number or other intrusive surveillance schemes on the American people after there was huge public outcry opposing the measures. For example, the Federal Deposit Insurance Corporation (FDIC) was forced to abandon its plan to mandate that all banks adopt "Know Your Customer" procedures in the face of over 250,000 negative responses from individuals. Similarly, Congress passed, and the President signed, language that repealed a provision in the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 that would have allowed driver's licenses to become de facto national identification cards. This too was done in response to a large public outcry.
We understand that HHS does not have the authority to repeal HIPAA or the national identification scheme it creates. So said, we favor legislation that abandons the HIPAA unique health identifier provision because of the virtual certainty that such an identifier will become a national identification system.
In the absence of such a law, HHS does have the authority to ensure that national health identifiers have the least impact on the privacy of American citizens. We have several recommendations in this area.
The proposed rule states that the goal is to make these standards as compatible as possible with current business practices while still enhancing privacy protection. At the same time, HHS commentary in the proposed rule concedes that privacy is a fundamental right; it discusses the dangers of too much personal information being disclosed to third parties.
Yet, to the best of our knowledge, HHS did not consult with anyone from privacy or civil liberties groups to learn our point of view for inclusion in the proposed rule. Nor does it appear that representatives from physicians' groups, such as psychologists, medical researchers, general practitioners, or nurses were consulted about the possible impact of such a regulatory scheme. It stands to reason that these health care professionals would speak to the reluctance of many individuals to seek health care when the confidentiality of their medical records is in question.
HHS did consult with several federal agencies however, including the Department of Justice, the Department of Commerce, the Social Security Administration, the Department of Defense, the Department of Labor, the Office of Personnel Management, and the Office of Management and Budget. Their viewpoints are well represented in this proposed rule.
As a result, the proposed rule is riddled with balancing tests pitting the privacy interests of individuals against business and government needs and desires, with the balance tipping predominantly in favor of business and the government.
For a proposed regulation as broad as this, HHS and the Administration have done little to see that it receives the public attention it deserves. In mid-January a USA Today article reported that HHS had only received about 200 comments while 6,000 had been expected. Less than three weeks later, HHS had received nearly 2,500 faxes from concerned individuals, alerted to the proposed rule by the American Civil Liberties Union. Yet, HHS has decided to reject these comments as "official" because those individuals did not adhere strictly to the complicated web-based submission system.
We believe that with a rule as sweeping as this, the HHS should further extend the rulemaking deadline, make the process for submitting comments flexible so as to give individuals a better way to participate in this rule-making process, and meet with more diverse groups who represent individuals, as well as to solicit more comments from individuals themselves.
One of the most significant problems with the proposed rule is its assumption that collection and disclosure are the norm. A privacy-protection rule should start with the assumption that information collection and disclosure should only be permitted in certain specified circumstances with well-defined, clear guidelines for disclosure.
In other words, collection and disclosure must be the exception, not a mechanism for routine use. The proposed rule permits exactly this -- a routine way to circulate medical information. The rule is constructed for ease of disclosure for almost any group that stated during consultation with HHS that they had an interest in the information, whether or not the individual authorized it. The rationale is that easier disclosures will facilitate timely payments, support treatment, enable "smooth operation of the health care system", catch criminals, conduct research, and engender public health surveillance. By facilitating disclosure in these many cases, the fact that medical records are profoundly sensitive documents affecting life choices of individuals -- including whether to have children, availability of employment opportunities and health treatment options -- is ignored.
For example, the term "oversight of the health care system" is only vaguely defined as "compatible with and directly related to treatment and payment." Because "oversight" falls under payment and treatment, individual authorization is not required. Tasks or projects that fall under this category include developing clinical guidelines, reviewing the competency of health care professionals, determining insurance rating, supporting other insurance activities, detecting fraud and abuse, and compiling and analyzing information in anticipation of criminal or civil legal proceedings. These are worthy goals, but individuals should be allowed to opt-in to these programs rather than have their personal information freely disclosed for these purposes without their consent.
One of the stated goals of the proposed rule is to create a national floor for standards that provide fundamental privacy rights for patients. The problem is that the floor that would be created by this rule is so low and protections are so weak that they are almost non-existent. As written in these proposed regulations, the balancing of privacy interests of individuals regarding their medical records against the speculated benefits to society, business, and law enforcement leaves individuals with little privacy of their health information.
Health information is not the proper place to balance business and individual interests; the individual's privacy and health interests should prevail. Individuals must be put first in order for the health care system to be effective. This is particularly important since HHS has not been granted authority to ensure that strong penalties are attached for misuse of information. There is no private right of action for individuals to enforce their rights if they have been violated.
Ownership of health information is another issue that is not adequately addressed in the proposed rule. It is our position that health information should be controlled by the individual. It is important to remember that the primary purpose of collecting health information from individuals is to provide the individual the best quality care. Information is not being collected to support secondary uses that third parties might have -- whether to construct consumer profiles, to conduct surveillance, or to serve business interests.
Ironically, these proposed rules will likely thwart the goal of improving the health care system. Individuals will be less comfortable with disclosing their personal information to their health care providers. They may forego doctor visits altogether, knowing that this sensitive information will be disclosed to others.
This is best illustrated by the procedures for handling psychotherapy notes. The proposed rule would keep notes taken during therapists' sessions with patients private. But the diagnosis and the prescribed medications would not be held confidential. In such a scenario, the fact that the notes are confidential becomes almost irrelevant: anyone to whom the diagnosis is disclosed can infer why the patient was seeing the psychotherapist. The outcome will be that many patients will be less likely to seek treatment. The larger impact will be a decrease in the level of health care society-wide.
As stated in the summary, HHS does not have the authority to issue restrictions beyond their mandate. This causes large gaps for those entities that are not covered by the rule. These include life insurance issuers, researchers, employers, marketing firms, as well as administrative, legal, accounting, and similar services.
With regard to the protected health information, the rule only applies to electronic records, not to paper records. This is another shortcoming of the proposed rule.
The proposed rules would not require individual authorization for "traditional public health surveillance." This includes investigations and interventions with respect to communicable diseases; registries (such as immunization or cancer registries); programs to combat diseases that involve contacting infected persons and providing treatment; and actions to prevent transmission of serious communicable diseases.
We largely disagree with this approach. In most situations, individuals should know when such information is released and should be able to consent to such disclosure. Keeping the public safe from disease is a worthy goal. But the balance has tipped too far with this proposed rule. There are too many provisions in which individuals are given no choice in the matter. Each individual must be able to have more control over his/her medical information, since it is so central to defining that person. Further, having such a rule in place would open the door to possible discrimination of people with diseases such as AIDS.
The proposed rules could actually hinder programs to combat certain diseases. As we have seen with HIV and AIDS, anonymous testing of individuals is paramount to getting people tested and treated. If people think that this information will be disclosed to others without their permission, they are less likely to be tested and risk that employers or family members might find out their condition.
The proposed rule is ambiguous as to whether a court order or warrant is required before law enforcement would be able to collect health information. The commentary suggests that some sort of writing should be required, but the rule itself suggests that the writing requirement may be satisfied by showing up at the hospital with the request written on official letterhead. We believe that a properly drawn court order or warrant must first be obtained before medical information is released to law enforcement.
Another problem with this section is the good faith exception for law enforcement. The good faith exception is very broad and has the potential to be widely abused. Often in criminal matters police hide behind this exception when they know they have no right to obtain certain information. They only need to claim that they thought they had a right to the information for the good faith exception to stand up under scrutiny. There is no reason to think that law enforcement would act any differently with regard to this proposed rule. Couple the good faith exception with the lack of a warrant or court order, and law enforcement has virtually unfettered access to health information.
We are also disturbed by a statement in the proposed rules, "Protected health information could be sought É to determine whether and who committed a crime" (emphasis added). There has been a substantial amount of debate about whether and when DNA evidence should be collected from suspects to a crime. In an apparent loophole, this proposed rule closes the door on this debate.
Consider the following scenario: the rule could permit doctors to collect DNA evidence in the course of their treatment. Police could use the good faith exception to obtain the DNA evidence. For example, law enforcement could collect, without a proper warrant, the DNA of anyone recently admitted to the hospital that may have been in a particular area at a particular time. The area and time information would be supplied by the directory and the admittance information kept in the patient's file. In fact, since this information would be kept in a new federal database whose creation is authorized by this rule, the police may not even be required to obtain permission from the doctor.
Any policy allowing those other than the attending physician to collect and use DNA information should be discussed thoroughly before allowing law enforcement to have such complete access. DNA information dissemination has the potential to affect job opportunities, determine access to health care and insurance, and to subject individuals to discrimination based on their health status. Because law enforcement and other entities could have unrestricted access to such sensitive information, this broad exception must be discarded in the final rule.
An area of ambiguity surrounds disposal of DNA evidence once it has served its purpose. Is the genetic material itself destroyed or is it stored somewhere? Is the information gleaned from the DNA kept in a law enforcement database even though the individual may have been cleared of the crime? This information is so sensitive that we believe that at the very least the DNA material should be destroyed.
If the proposed rule is implemented, government will steadily build a "dataveillance" mechanism that touches every aspect of our lives, so much so that it will become a threat to our open society. The proposed rule will allow for the creation of yet another Federal database. All of the data collected about patients will be entered into this database along with the "unique health identifier" without the consent of the individual.
There is no option for individuals to opt-out of inclusion into this database. In fact, many individuals may not even be aware that it exists. This is nothing less than a power grab of sensitive personal information by the government. We believe that if the government wants individuals to be included in a new Federal database, they should inform individuals about it and obtain their permission.
This database, because of the unique number assigned to each individual, would be broader than any existing governmental database, surpassing even the databases of the Social Security Administration and the Internal Revenue Service. It would create a unique file on each person in the United States. Once constructed, this database could be linked or matched with other agency databases to create the most far-reaching surveillance system this country has ever seen.
Despite the provision of fair information principles regarding individuals' medical records in general (e.g., right of access, right of correction), it does not appear that the rule requires the provision of fair information practices regarding the federal database itself. Individuals will not have an opportunity to correct any inaccurate information once the information has been collected. There is no statement about security measures that will be put in place to protect this information. Nor is there any mention of enforcement mechanisms or oversight of the Federal database. Further, there is no statement about who has access to the information. And there are no provisions for the destruction or deletion of information once an individual is out of the health care system. Finally, there are no provisions for recourse for citizens if they have been harmed by disclosure of the information.
We are pleased to see that the Rule leaves the door open for states to draft and continue to enforce more stringent privacy laws. We are concerned however, in spite of the commentary and provisions that provide for more stringent state laws, that this rule may be construed to have pre-empted the field. We think this is a possibility because this proposed rule covers all electronic medical records and strives to make the provisions for states to follow as uniform as possible. This is a hallmark of field pre-emption.
The states are considered the public policy laboratories for the nation. We have seen several issues in which stronger state laws have eventually been adopted on the federal level. Credit reporting is one such example. Given the sensitivity of individuals' medical records, these regulations must provide a floor, not a ceiling, in order to give states that desire to expand privacy protection for their citizens the ability to do so.
Individuals want their privacy to be respected and protected. This is borne out in several recent national surveys. It is also illustrated by the huge public outcry against the "Know Your Customer" regulations proposed for the nation's banking system, and the significant opposition to efforts to create a national identification system via state driver's licenses.
The privacy of our medical records is no less sensitive. In fact, given the potential for one's medical records to have an impact on employment opportunities, financial offerings, family relations, social standing, even ability to obtain housing, our medical records deserve the strongest protection possible.
We believe that the proposed rule does not provide the protection necessary to safeguard patients' privacy. We recommend that the rule be withdrawn and re-drafted, and that public forums be held regionally throughout the country to obtain a broader cross-section of opinions about the best way to protect privacy.
We would welcome the opportunity to work with you to help craft a rule that would protect the public health while still respecting the rights of individuals.
Thank you again for giving us the opportunity to comment on this proposed rule.
Sincerely,
Deborah Pierce
Staff Attorney
Electronic Frontier Foundation
1550 Bryant Street, Suite 725
San Francisco, CA 94103
Phone: (415) 436-9333, ext. 106
Fax: (415) 436-9993
E-mail: dsp@eff.org
Website: www.eff.org
Lisa Dean
Vice President for Technology Policy
Free Congress Foundation
717 Second Street, NE
Washington, DC 20002
Phone: (202) 546-3000
Fax: (202) 543-5805
E-mail: info@freecongress.org
Website: www.freecongress.org
Beth Givens
Director
Privacy Rights Clearinghouse
1717 Kettner Ave., Suite 105
San Diego, CA 92101
Phone: (619) 298-3396
Fax: (619) 298-5681
E-mail: bgivens@privacyrights.org
Website: www.privacyrights.org
Please send any questions or comments to webmaster@eff.org
