Consumer Project on Technology P.O. Box 19367, Washington, DC 20036 Voice: 202/387-8030; Fax: 202/234-5176 http://www.essential.org/cpt/cpt.html November 2, 1995* United States Senate Washington, DC 20510 re: S. 1360 - Medical Records Dear Senators: I am writing to you to express our concerns about S. 1360, the Medical Records Confidentiality Act of 1995, which purports to enhance personal privacy. It is our view that this proposal is fundamentally flawed, and will legitimatize and contribute to the continued erosion of personal privacy. While the discussion surrounding the introduction of the legislation has emphasized the bills role in enhancing privacy, the text of the legislation tells a different story. Only through comparisons to a lack of standards for privacy does this bill represent a step forward. The legislation completely ignores fundamental flaws in the current system, introduces new rights of access to medical records, and fails to address the public's growing apprehensions about the loss of their privacy. Concerns about privacy to medical records are very directly related to the development of computer technology and the creation of large computer databases of medical records. Yet S. 1360 only mentions computers once, the bill's definition of "writing." [Sec. 3 (18)]. There is no recognition that more restrictive rules should apply for access to computer databases. This is the most fundamental flaw in the legislation. Allow me to state in simple terms the world envisioned by S. 1360. A person who seeks medical care will find that the entity which pays for the health care can require, as a condition of payment, that it receives a computerized record of the treatment records. [Sec. 202 (a), Sec. 202 (b)(1)] What types of information are involved? It includes information concerning "preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure, with respect to the physical or mental health condition of an individual; or affecting the structure or function of the human body or any part of the human body; or any sale or dispensing of a drug, device, equipment, or other item to an individual, or for the use of an individual, pursuant to a prescription." [Sec. 3. (4)] It also includes demographic information, information about payments for medical services, and more generally, information that "relates to the past, present, or future physical or mental health or condition of an individual." [Sec. 3 (14)] The insurance company, employer, government agency or other entity that provides the third party payments for health care can create and maintain a database of patient records, and use these records for a number of purposes. These computer databases will contain unique personal identifiers. These organizations, many of them huge organizations, are asked to protect the records from disclosure to the general public, but the act allows for many cases where the patient records can be shared with others. I will briefly describe some of the persons who will have access to medical records, without consent from the patient, without prior notice, and in many cases without any notice. 1. Law Enforcement Officials. The act ensures that virtually any law enforcement official will have the right to search your medical records, not by identifying your doctors and obtaining a warrant for records from a doctors office, but simply by contacting large insurance companies, employers or database companies, and searching computer databases. These law enforcement officials will be required to obtain a subpoena from a grand jury, an "administrative" subpoena or summons, or a judicial summons or a warrant [Sec. 212 (a) (1)], which simply says that there is "probable cause" to believe that the information is "relevant" to a legitimate law enforcement inquiry. [Sec. 212 (a) (2)]. You don't even have to be a target of the inquiry, or suspected of committing any crime. If the action proceeds under a "warrant," a patient need not receive prior notice. [Sec. 212 (a) (3)]. A patient has a right to move to quash a warrant, but that right is severely limited by the fact that prior notice isn't required. Indeed, government law enforcement officials have 30 days to serve notice that the warrant has been issued [Sec. 212 (a)(3)], and that time can be extended by a court. [Sec. 212 (a)(5)(A)] If a subpoena is used, the government may also apply to a court ex parte and under seal, and ask for an order delaying the notice of the subpoena. The extension or delay in notice for a warrant or subpoena can be obtained if the government can show that the request is "relevant" to a legitimate law enforcement inquiry (civil or criminal), the government's "need" for the information outweighs the privacy interest of the individual, and there is reasonable grounds to believe that the notice will lead to endangerment of life, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or more broadly, "disclosure of the existence or nature of a confidential law enforcement investigation or grand jury investigation that is likely to seriously jeopardize such investigation." [Sec. 212 (a)(5)(B)]. A subpoena or summons for information can be obtained for persons whose identity is unknown. [Sec. 212 (a)(4)]. Law enforcement officials would apparently have the right to search computer databases to "find" records that match certain criteria. What will this involve? Physical characteristics, psychological profiles, data on DNA or other genetic characteristics? If this isn't intended, why doesn't the bill say so plainly? The bill also allows law enforcement authorities the right to obtain access to medical records without a warrant or subpena in for the "identification of a victim or witness" in a law enforcement inquiry. [Sec. 212 (c)]. These would also likely involve searches of computer databases to find persons who meet characteristics identified by law enforcement officials. Who are these law enforcement officials who will have such broad and ready access to such personal information? According to the U.S. Department of Justice, in 1992 there were 78,570 state and 476,261 general purpose police employees, 225,342 employees of state and local sheriff offices, and 60,926 state and local "special" police, for a total of 841,099 full and part-time employees in state and local police and sheriffs departments. To this we add the considerable number of federal law enforcement officials from the obvious agencies such as the FBI, CIA, NSA, AFT, INS, IRS, various Military intelligence agencies, etc. But even that doesn't give an adequate description. The term "law enforcement inquiry" means "a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule or order issued pursuant to such a statute." [Sec. 3 (12)]. Thus, investigators from many if not most federal and state agencies would qualify. The numbers or persons who could argue that they qualify under that very broad definition are undoubtedly quite high. 2. Public Health Authorities. Public Health Authorities are defined as "an authority or instrumentality of the United States, a State, or a political subdivision of a State that is . . . responsible for public health matters; and . . . engaged in such activities as injury reporting, public health, surveillance, and public health investigation or intervention." [Sec. 3 (15)] Any health care provider, health plan, health researcher, public health authority, employer, insurer, school or university, or certified health information network service, plus others, may disclose medical records to "a public health authority or other person authorized by law for use in a legally authorized (1) disease or injury report; public health surveillance, or public health investigation or intervention. [Sec. 208]. This creates another large class of persons with access to databases of personal medical records. The bill does not require consent or notice for disclosure [Sec. 203 (e)], and there are no provisions for warrants, subpoenas or other legal burdens to obtain access. 3. Health Researchers. Health researchers, who are really not defined in the bill (except by circular reference), may obtain medical records without consent or notice [Sec. 203 (e)], if the "protected health information" is needed for the "effectiveness of the project," and "is of sufficient importance" to "outweigh the intrusion into the privacy of the individual who is the subject of the information." [Sec. 209 (a)] Who will make such a determination? Certified Institutional Review Boards that would be found in hundreds of hospitals and medical schools. Thousands of graduate students and other researchers (including large consulting firms) would be allowed to obtain personal medical records, in order to pursue any number of studies of health care issues. No one who was included in these studies would have any notice that their records were used, even when the information was disclosed with personal identifying information, including such items as the patients name, address, social security number or employer. 4. Health Oversight Agency. Another broad category of persons who would have access to medical records, without consent or notice, would include persons working for a "Health Oversight Agency." This is defined in the bill very broadly, to include "a person who . . . preforms or oversees the performance of an assessment, evaluation, determination, or investigation relating to the licensing, accreditation, or certification of health care providers; or . . . performs or oversees the performance of an assessment, evaluation, determination, investigation, or prosecution relating to compliance with legal, fiscal medical, or scientific standards relating to . . . the delivery of or payment for, health care, health services or equipment, or health research; or . . . health care fraud or fraudulent claims regarding health services or equipment, or related activities and items." [Sec. 3 (8)] This information is supposed to only be used in investigations of fraud or payment for health care. [Sec. 207 (b)]. For reasons that are not readily apparent, there are no requirements for notice that your records have been examined by these officials. [Sec. 203 (e)]. In addition to these categories, there are a number of other groups that may receive the records. Firms like Equifax or IMS, which sell personal information for marketing purposes, will be allowed to obtain medical records, with personal identifiers, without consent or notice, for purposes of creating large databases of "nonidentifiable" information. [Sec. 204] Litigants in civil matters may ask to obtain records from the databases if health matters are at issue. [Sec. 210]. And of course, thousands of persons from health care agencies, HMO's, insurance companies, employers and others will have access to these databases. S. 1360 sets out rules to discourage the improper release of records, and imposes large fines on persons who violate those rules, but will not and can not prevent the very predictable invasions of privacy that will occur once literally millions of persons have opportunities to access computer databases of medical records. It hardly needs to be said that we have witnessed an enormous amount of official and private misconduct with respect to access to records stored in paper formats, and these problems only accelerate once records are stored on computers. One need not be a luddite to question the wisdom of giving more than 1 million law enforcement officials access to computer databases of medical records. It is common sense and maturity to recognize that some records should never be gathered and maintained in databases. Congress must question the right of anyone to create these database in the first place. As you know, a number of groups oppose S. 1360, even though it was only introduced last week. The Electronic Frontier Foundation (EFF), the Electronic Privacy Information Center (EPIC), the Center for Patient Rights (CPR), the Massachusetts ACLU, and other groups have issued critical comments on the legislation. We expect those critical responses to snowball once people learn what this bill will authorize. The Consumer Project on Technology was created by Ralph Nader this year to investigate a wide range of technology related issues, including telecommunications regulation, intellectual property rights, and the impact of computers on personal privacy. Our "home page" on the Internet's World Wide Web is http://www.essential.org/cpt/cpt.html. We would very much appreciate the opportunity to testify in opposition to this legislation at the proposed November 14, 1995 hearings. We will be providing additional comments on the legislation at a later time, including our concerns over the vast pre-emption of state rights in the legislation [Sec. 410], which we believe sets a ceiling on privacy legislation, rather than a floor, and the unwarranted immunities from civil litigation that the legislation extends to Equifax, Insurance companies, HMO's and others. [Sec. 402]. Thank your very much for considering our views and our request to testify. Sincerely, James Love Director Consumer Project on Technology love@tap.org http://www.essential.org/cpt/cpt.html voice: 202/387-8030 ----------------------------------------------------------------- * Corrected November 10, 1995