CPT November 14, 1995 Comments on S. 1360


Comments of Consumer Project on technology

on

S. 1360 - the Medical Records Confidentiality Act of 1995

submitted to the Senate Committee on Labor and Human Resources*

James P. Love

November 14, 1995


Introduction

The following comments of the Consumer Project on Technology (CPT) outline our suggestions for improvements in S. 1360, the Medical Records Confidentiality Act. While we join others in applauding the sponsors of S. 1360 for focusing attention on the important issue of privacy of medical records, we cannot support the bill as introduced. Our initial concerns about S. 1360 are detailed in an earlier November 2, 1995 letter, which is attached. I will briefly summarize our objections the legislation, and then detail specific areas where we think S. 1360 can be strengthened.

As introduced, S. 1360 does more to protect the medical records industry than the privacy of patients. The legislation severely limits state action on medical records privacy issues. Consumers lose rights to sue health care trustees under common law. Insurance companies, employers or HMO's have the right to demand access to medical records as a condition of payment. Once records are acquired by the Insurance company, HMO, or self insured employer, there are literally millions of persons who have the right to obtain the records, without the consent of the patient.

S. 1360 defines law enforcement investigations extremely broadly, to include more than one millions persons involved in enforcement of any civil or criminal statute, regulation, rule, or order. For example, the Department of Justice estimates that in 1992 some 841,099 persons were employed by state and local police and sheriffs departments. Law enforcement officials will have access to medical records without consent or even prior notice, and will be permitted to use computer databases of records to search for persons whose identity is unknown, including witnesses, suspected wrongdoers, or anyone who is "relevant" to an investigation.

Health care researchers, including those not affiliated with universities or hospitals, public health officials, health oversight officials, and other groups are given access to patient records, without consent or even notice. While health information trustees are required to keep records of persons who have access to records for non-treatment purposes (for seven years), patients will likely find it extremely difficult to locate these records.

Health care providers, insurance companies, large employers, computer and information services companies have successfully lobbied to obtain provisions that protect their commercial interests. Government agencies, such as the law enforcement community, and the health care "research" community have also successfully asserted extremely broad claims of access to medical records. As a result, S. 1360 is framed more as an access bill, than a privacy bill.

Under S. 1360, large systems of computer databases with cradle to grave medical records will be easily available to anyone with access. Records need not be stored in centralized databases to be readily accessible. Different databases, which are managed independently, and stored in remote locations, can be linked together by telecommunications networks, and used in a manner similar to a single database, if queries can be delivered and authorized electronically, as is allowed and anticipated under S. 1360. The amazing efficiencies of new information technologies are being combined with equally important revolutions in medical technologies. Basic information about weight or blood type are being supplemented by data on genetic characteristics and other high-tech items. It is not enough to write rules which largely codify current practices, with cosmetic improvements.

Firms with access to medical records databases are investing in product development and marketing strategies, in order to encourage greater access to the medical records, not less access. Self insured or experience rated employers will be encouraged to study records in a variety of ways to manage health care costs. Insurance companies will be encouraged to run medical audits, with "consent," before issuing policies. The huge numbers of law enforcement officials with access to medical records will be a market, waiting for the development of the right "products" to enhance the efficiency of their investigations. S. 1360 will facilitate the development of those markets, because it largely removes doctors from the role of guardians of patient records, and it does not question the right of large businesses to build systems which allow for automated searches of personally identifiable patient records.

Some proponents of S. 1360 claim that the bill will enhance privacy, because current laws and protections are so weak. The "something is better than nothing" argument would be more persuasive if the law did not preempt state action, or eliminate privacy law suits under common law. "Something" is hardly the appropriate response to the problem at hand. Without real privacy protections, consumers will withhold information from doctors, and doctors will create untruthful records, in order to avoid the transmission of the information to a system that is so porous.

The following are suggestions for language which would increase the level of consumer privacy.


1. Doctors Should Exercise Greater Control over Records.

Under S. 1360, an entity that pays for medical care may require disclosure of protected health information [Sec 202 (a)], and the authorization to obtain health care records to validate expenditures may not be revoked [ Sec 202 (b) (1)]. This is an important step in the process, because if the entity that pays for the treatment obtains the records, decisions about disclosure of the data will be made by persons other than doctors responsible for treatment.

Some advocates of S. 1360 say that one can avoid having medical records entered into large databases by paying out-of-pocket for health care costs. For consumers who struggle to make ends meet, this is not a particularly viable option. Privacy of medical records should be available to everyone, regardless of income.

We suggest a new subsection 202 (e), which states:

Sec. 202 (e) Disclosure for Payment. -- A health information trustee that receives protected health care information for purposes of authorization of payment may only use information for this purpose, and may not redisseminate the information to any third parties, including persons who seek information under sections 204, 205, 206, 207, 208, 209, 210, 211 or 212 of this act. Protected information received for purposes of payment authorization shall be removed or destroyed at the earliest opportunity once payment has been authorized.

2. The Preemption of State Law Is Too Broad.

The Sec. 401 preemption of state law is far too broad, and results in the legislation acting as a ceiling on privacy, rather than a floor.

Sec. 401 (a) states that "except as provided in" certain areas, "this Act preempts State law." The exceptions include:

I would suggest striking this section altogether. If this isn't possible, add a new section (c) (9), to add another item which S. 1360 does NOT preempt.

(9) any State law which limits the collection, indexing, dissemination, or maintenance of medical records in electronic formats.

As you know, we are concerned S. 1360 does not take adequate account of the impact of computer technologies on privacy, and that the fact that records are stored in digital formats creates new threats to privacy. By adding our proposed (c) (9) to Sec. 401, states will be free to enhance the baseline privacy protections of S. 1360, by addressing the most important issues in the management of the records in electronic databases. Some state legislatures may decide that their citizens deserve greater privacy protections than those that are included in S. 1360. We see no reasons to deny state action in this area.


3. Congress Should Not Take Away a Citizen's Right to Sue under Common Law.

Under Sec. 402, a health information trustee (which includes just about anyone who manages or uses these records), and who makes a disclosure about an individual "that is permitted" by the Act, shall "not be liable to the individual for such disclosures under common law." This section should be stricken. There is no need to provide this super immunity to the health information trustees. They retain broad discretion under the law, and health care consumers should have the right to pursue their rights under common law for violations of privacy. Under Section 201 (c), the bill says that "nothing in this title that permits a disclosure of health information shall be construed to require such disclosure." The Sec. 201 (c) language is important, because it underscores the fact that health care providers and health care trustees have the discretion and the responsibility to limit disclosures of information to protect privacy. S. 1360 is written to address all possible uses of medical records, and consequently, it gives quite broad authority to disseminate information. However, consumers expect that health care providers and health care trustees will exercise reasonable judgement in making decisions about when to disclose. The elimination of common law rights of action is an unwarranted and unnecessary elimination of an important incentive for health care providers to use caution in authorizing disclosures.


4. The Law Enforcement Provisions Are Absurd, and must Be Vastly Narrowed.

As noted in our letter of November 2, 1995, we are alarmed at the seemingly wide open provisions for law enforcement access to medical records. This term the United States Supreme Court is considering a case where a law enforcement official is asserting that her mental health records should be privileged, and not made available to the government. Most Americans believe that their own medical records are privileged documents, not subject to easy perusal by law enforcement officials. We estimate that well over 1 million government employees will have the right to access to medical records under S. 1360, without consent or prior notice, under the very broadly defined Sec. 212 law enforcement provisions.

This section gives any government official who is responsible for enforcement of any criminal or civil statute, or regulation, rule or order adopted under the authority of a statute, access to medical records. It is written in such a way that even a dog catcher or building inspector will have the right to obtain a warrant for access to a person's medical records. Congressional staff appear to be covered as well.

Law enforcement officials are given the right to obtain records for persons whose identities are unknown, or to use medical records databases to identify witnesses or victims. The only standard for access is that there must be probable cause that the information is "relevant" to an inquiry -- even if a person isn't the target of the investigation. Will the police obtain medical records in order to prepare for an interrogation or questioning of acquaintances of suspected wrongdoers? Will this become standard procedure when putting political dissidents under surveillance? What would this have done for Nixon's plumbers when they sought "access" to Daniel Ellsberg's psychiatric records?

The following are initial suggestions for reducing the problems in Sec. 212.


5. Consumers Will Find it Difficult or Impossible to Locate the Records Which Account for Disclosures. Much Can Be Done to Improve Sec. 112.

Under Sec. 112, a health information trustee will be required to create and maintain records of disclosures that are not related to treatment, including the many types of disclosures allowed under Sections 204, 205, 206, 207, 208, 209, 210, 211, and 212. These will be extremely important data, because they are one indication of how often our medical records are shown to others. For 7 years this data will be considered protected health information. [Sec. 112 (b)]. Under Sec. 101 (a), it appears as though a consumer is entitled to inspect or copy these records, since the consumer is "the subject" of the protected information. However, locating this information will be difficult. Health care trustees will maintain the disclosure records in remote locations. Under Sections 204 through 212 there often be no notice to the consumer that a disclosure has occurred. In order to discover that a disclosure has been made, a consumer will have to contact health care trustees, one by one, making inquiries. A failure to report a disclosure at any step will eliminate the record trail. Health care trustees have 30 days to respond to requests for information, and one can anticipate slippage in that number. The trustee can require the consumer to pay for "the cost of such inspection and copying." One can imagine a fee charged simply to make an inquiry. It seems likely that an exhaustive search of trustees that may have had access to ones records could take years and hundreds or thousands of dollars, every time it was undertaken. Indeed, it could be much more difficult, when one considers the fact that one's entire medical history, from cradle to grave, is involved. This greatly diminishes the usefulness of the records. We are also concerned that some health care trustees will simply not report the Sec. 112 disclosures at all, leaving gaps in the record trail.

Proponents of S. 1360 say that it is enough to give the consumer a record trail, which shows directions where one might look. We would like to see each user of a patients record report back to the source, every time the record has been accessed. If the trail can lead one way, it surely can be designed to lead the information back in the direction where the consumer might actually find it. To accomplish this, we recommend adding the following new subsection (c) in Sec. 112.

Sec. 112 (c). The health care trustee shall provide copies of records of disclosures to the person who maintains custody of the original copy the protected health care record, and that person shall attach the report to the original record.

We were also surprised to see that the length of time that the health care trustee must maintain its records has been shortened from the 10 years that appeared in the copies of S. 1360 disseminated by Senator Bennett on the bill's introduction, to 7 years in the printed version of the bill. [Sec. 112 (b)] We prefer a longer period, twenty years.

We are also in favor of a provision that requires health care trustees to report data on disclosures to a centralized location, so that we can see statistics on how often consumers records are accessed, and for what purposes. The Secretary should adopt rules for reporting this information, for all health care trustees, providing statistical data on the number of times records are accessed, who obtains access, under what sections of the law was access obtained, and for what purposes was the information used. We recommend a new subsection (d) be added to Sec. 112, which says:

Sec. 112 (d). The health care trustee shall provide annual statistical reports to the Secretary, in a format which is specified by the Secretary, which discloses the number of records that are accessed, the types of persons or entities who obtain access, the sections of the law under which access was obtained, and the purposes for which the information was used. The health care trustee shall also obtain an independent audit to verify the information provided in this report. The Secretary shall make these reports available to the public.

6. The Consent Section Should Be Strengthened, to Limit Cases Where "Consent" Is Obtained with Coercion.

The Section 203 provisions for disclosure for purposes other than treatment or payment are based upon the fiction that consent will occur without coercion. Today it is common to be asked for "consent" for access to medical records in order to obtain life insurance. Under S. 1360, we anticipate a growth in services for searching medical records after obtaining consumer "consent" agreements. We are concerned that employees will seek "consent" to examine medical records, in order to estimate the cost of providing medical benefits, or to search for other information, such as evidence of homosexuality, mental illness, sexual promiscuity, or deviant behavior, to list just a few items. [Employers are limited in the information they can request about medical records prior to employment, under the federl Americans with Disabilities Act of 1990.] With a huge industry built around `the maintenance, transfer and indexing of patient records, it will increasingly become easier to conduct such searches. If employers are allowed to request "consent," it will be difficult to refuse. Indeed, a refusal will be a signal that the employee has something to hide.

The consent section should be strengthened by including a provision 202 (e), for rules against coercion, which states:

(e) The Secretary, after notice and opportunity for public comment, shall adopt rules which prohibit or limit requests for consent for access to protected health care information for purposes of employment, acceptance to a school or university, or for other purposes for which a request for consent may involve undue coercion.

If this Congress is unwilling to protect the public from requests for consent under coercion, then a provision should added to section to Sec. 401 (c), stating that this is an area where states are not preempted from acting.

Sec. 401 (c)(10) Any state law that limits the right of employers or other groups to request consent for protected medical information.


7. The Provisions for Access by Health Oversight Agencies [Sec. 207], Public Health authorities [Sec. 208], and Health Researchers [Sec. 209] Should Be Modified to Require Notice in Every Case. Consent Should Be Required in Most Cases. Additional Reporting Is Needed.

At present, health oversight agencies, public health authorities or health reasearches have the right to access medical records without consent and without notice. This presents far too much access to medical records, and not much in the way of accountablity. For each group, notice to consumers should be required. In cases where consent is not obtained, the notice should include at least the following information:

(1) the records to be accessed,
(2) the reason for obtaining the records,
(3) the legal authority under which the records were obtained,
(4) the names of the persons who have access to the records, and
(5) how the records will be used, including disclosure of the length of time the records will be in the possession of the person obtaining access to the records without consent.

Health researchers should be required to obtain consent to receive access to records with personal indentifiers.

Since we don't know much about how these groups use medical records, or how that usage is changing as records are becomming computerized, we need annual reports which provide statistical information. These reports should be made pubic.

Sec. 112 (d). The health care trustee shall provide annual statistical reports to the Secretary, in a format which is specified by the Secretary, which discloses the number of records that are accessed, the types of persons or entities who obtain access, the sections of the law under which access was obtained, and the purposes for which the information was used. The health care trustee shall also obtain an independent audit to verify the information provided in this report. The Secretary shall make these reports available to the public.


The Consumer Project on Technology has created an Internet discussion list for this issue, called med-privacy, which available for subscriptions from listproc@essential.org. Send a note to listproc@tap.org, with the message:

subscribe med-privacy yourfirstname yourlastname

Our World Wide Web page has additional information, and is located at:

http://www.cptech.org/privacy/privacy.html.

The Consumer Project on Technology (CPT) is a project of the Center for Study of Responsive Law. The CPT was created by Ralph Nader this year to study a number of issues related to new technologies, including telecommunications regulation, pricing of pharmaceutical drugs, intellectual property rights, and the impact of computers on privacy. The URL for CPT is http://www.cptech.org/cpt.html.


* document reformated for web, two typos and several spelling errors fixed.



Return to Consumer Project on Technology Home Page.

Comments to James Love <love@tap.org>