THE DEADLINE FOR COMMENTS IS TODAY (2/17/2000). Public comments taken by the Internet at or the DHHS website says written comments postmarked today will be accepted.



February 17, 2000

Citizens' Council on Health Care
1954 University Ave., Suite 8
St. Paul, Minnesota 55104

U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P
Room G-322A, Hubert H. Humphrey Building
200 Independence Avenue SW
Washington, DC 20201

Re: RIN 0991-AB08
Standards for Privacy of Individually Identifiable Health Information

To Whom It May Concern:

Thank you for the opportunity to make public comments on the proposed regulations for disclosure of health and medical record information. Citizens' Council on Health Care is a St. Paul, Minnesota-based national, nonpartisan, charitable non-profit health care policy organization focused on engaging and empowering public participation in the health care debate through sharing of information, public policy analysis, and alternatives. Our comments follow with heading noted in the proposed regulation.

Need for Privacy Standards
The Department is correct in saying that patients wish to have their medical records protected, but is then incorrect to cast the privacy efforts of state legislatures as needing an overriding federal standard. Some state laws such as those in Minnesota have effectively mandated patient consent--the most effective approach to patient privacy--which this regulation specifically forbids.

To state in the regulations that there is a need for a federal privacy standard runs counter to a second statement which clarifies that this regulation seeks to "improve access" for a more effective and efficient health care system. Like the checks and balances that keep Congress from "efficiently" passing every proposed law, there should be checks and balances within the health care system that effectively protect the privacy needs of patients by limiting easy access unless there is patient consent. Admittedly, some believe this makes the health care system less "effective" but we must ask 'in whose eyes?' Many patients do not want to have their medical information easily transferable, accessible, trackable, or linkable. For security purposes, inconvenience is a small matter to them and a certain amount of inefficiency is welcomed.

As the regulation states, according to the House Report No. 496, 104th Congress, 2d. Sess., at 99, the reason "health information is considered relatively safe" is because "it is difficult to access." These standards as written would take away that safety by making medical information easy to access. In addition, the Department proposes prohibiting any requests for patient consent. Clearly, these standards set a standard for permitting disclosure, not a standard for prohibiting disclosure. And as such, the public does not need this type of "privacy standard."

Real privacy standards would follow the regulation's own reasoning on page 59929: "paper records that are never reduced to electronic form are less likely to become disseminated broadly through the health care system." This is true and therefore, if there is to be a federal standard for medical privacy, the most effective method should be protected and promoted. Patients should be allowed and encouraged to keep their medical information in a format that protects privacy. However, as the regulation states, this regulation is not to meant protect privacy: "The purpose of these provisions is to promote administrative simplification." Privacy clearly runs a distance second place to permitting the efficient transmission, sharing, and exchange of private data.

Statutory Background
The regulations state that Congress "recognized that privacy standards must accompany the electronic data interchange standards" and that there must be "an increase in the privacy and confidentiality" of medical information. However, these regulations not only effectively increase access for traditional payment and treatment purposes, they also propose to dismantle any remaining obstacles to access by granting federal authority to disclose patient data for new, non-statutory, department-generated "national priorities."

In addition, the Secretary dismisses the seriousness of imposing net costs if the regulations "reduc[e] administrative costs for the health care system as a whole." Clearly, the bigger corporations will have more resources to deal with an increase in net costs while the smaller, more personable health care entities may lack the resources to comply with this regulation. This seems less than helpful to those individuals who wants to retain a personal touch in their contact with the health care system, along with the better privacy protections smaller groups afford.

We note that there are no definitions for "privacy" and "confidentiality." This seems inappropriate given the written emphasis on privacy and confidentiality of medical records. Without a definition, how can members of the public know what the Secretary means? How can the Department's intentions be interpreted without these two critical definitions? Without a definition, how can the Department be held accountable for a privacy standard?

Introduction to General Rules
As stated, the regulations propose "to make the use and exchange of protected health information relatively easy for health care purposes..." And in this case, the definition of "health care purposes" is defined much more broadly than the public would naturally assume. CCHC does not find that a "health care purposes" includes use of medical records for purposes beyond the diagnosis and treatment of individual patient. Government databases, health plan research, medical research, law enforcement, public health purposes, national security, and health care operations are all outside the parameters of patient care.

Treatment, Payment, and Health Care Operations
The Department is correct in saying that most patients expect data to be exchanged for treatment and payment, however "health care operations" do not fall in line with patient expectations. In fact, health care operations are often found to be the leading obstacle to receiving patient care. Pre-authorizations, retroactive utilization review, provider profiling, physician credentialing, litigation, practice guidelines, and outcomes research are not typically patient-friendly practices. As such, for the protection of patients, patient consent should be required before the disclosure of medical data for health care operations as defined in this regulation.

Instead, the regulations specifically state, "We also propose to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State law or other applicable law." It's one thing to say no consent is needed, although CCHC objects even to that, however, it's quite another thing to actually prohibit a request for consent. To prohibit such may constitute an infringement of constitutional protections. It certainly is a step outside the bounds of the legislation which authorized the Secretary to write a standard for the protection of patient information, not to prohibit the most fundamental standard of privacy protection.

In addition, the definitions of payment and treatment do not meet the public's expectation for use of data. Included in "payment" are risk adjustments (a method for determining capitation payments), determining medical necessity or appropriateness of care (avoiding payment for care), and prior authorization (a method used to interfere with medical decision-making). Included in "treatment" are risk assessment, case management and disease management, all of which have been found to be intrusive to the decision-making process necessary for individualized patient care. In essence, the patient's data can be used against them when they most need care.

Introduction to Uses and Disclosures without Individual Authorization
The problem with this entire section is its very assertion of new national priorities which are found nowhere in statute. The Department proposes 13 unconsented disclosures which are "designed to permit and promote key national health care priorities, and to ensure that the health care system operates smoothly." It is quite disingenuous to state to the American public that, "The proposed regulation is intended to reflect the importance of safeguarding individuals' confidentiality..." and then to follow it by defining 13 multi- faceted disclosures for "enabling important national priority activities that require protected health information."

This defines a national priority that has been generated by Department officials simply to appease the intrusive and profiteering motives of individuals, state agencies, research institutes, law enforcement agencies, and businesses who want to use patient data to further their own objectives. This new "national priority" runs counter to the Constitutional protections of citizens. We will comment on just a few of the 13 unconsented disclosures, but we agree with none of them.

Public Health
Clearly, according to this regulation, government officials believe themselves deserving of unlimited access to medical data. The proposed regulation states that patient data will be disclosed without consent "for the full range of public health activities including reporting of diseases, injuries, and conditions...and a variety of activities broadly covered by the terms public health surveillance, public health investigation, and public health intervention..." In addition, access for public health purposes is not limited to government access, but is also granted to all those involved with the government through grants or contracts.

Law Enforcement
The doctor's office will become an unsafe place if victims, or persons who are not victims but are judged as victims or criminals, are not allowed to seek care without being reported to a law enforcement agency. The doctor's office should not be deputized. Nor should disclosure be allowed for a doctor's judgment about the patient which is made in "good faith." And "time-constraints" are not a justifiable excuse to authorize access to information without a warrant for the identification and location of possible suspects, witnesses, or missing persons. To authorize sweeping police powers under the guise of a new national priority is to strip people of their Constitutional rights for protection and due process. Notably, the regulation states, "access for law enforcement under this rule would be easier where other rules would impose procedural protections," The regulation describes the new powers of law enforcement by saying, "Nor is this list of important uses by law enforcement exhaustive."

Governmental Health Data Systems
The premise of county, state, or federal government databases and data collection is wrong on its face. To authorize approval of disclosure without consent for "efforts to improve public policies and program management, improve health care and reduce costs, improve information available for consumer choice," and to allow access by government entities to "analyze health care outcomes, quality, costs and patterns of utilization, effects of public policies, changes in the health care delivery system, and related trends" is to ignore that fact that health care is a private business, not a government affair. In 1994, Congress said no to a national health care system. The department's regulation runs counter to that decision and presumes power and oversight authority not given to government officials by the people or their elected representatives.

As important as research might be to some members of the public, unconsented access to data will itself harm the validity of research. What data can be trusted once patients begin to understand the comprehensive invasion of their medical records? Like the 15 percent of the American population which has already begun to alter the information they provide to doctors (California Healthcare Foundation study, 1/28/99), the general public will do whatever is necessary to protect their families and themselves. The doctors office will be a place for planned deception, not a safe haven for honest discussion.

Many of those seeking data for research want the millions of dollars available in grants or the profitable patents on products of research. To permit access to patient data without patient consent is to run roughshod over the rights of patients. The international standard prohibits involuntary research, or the use of coercive tactics against vulnerable patients.

In addition, an Institutional Review Board is not a mechanism for patient protection and has never been one. Many IRBs are overwhelmed by requests and populated with members that have a personal, professional, or institutional interest in gaining access to grant dollars. Clearly, there is not a national priority big enough to make patients into involuntary research subjects.

Introduction to rights of individuals
Although the regulations initially call privacy "a fundamental right," they end by saying "the right is not absolute." In other words, the right is conditional, which negates it being a right at all. Rights are not conditional, otherwise they would not be called rights. For the department to be confused on this issue shows a sad lack of understanding about the very concept of rights. This misconception is carried through the entire Rights of Individuals section. In fact, all the so-called "rights" have been formulated specifically to describe the limited conditions under which access and knowledge about the disclosure and use of one's records will be granted.

Notably, access to the data is restricted for litigation purposes, and knowledge of access by HMOs, insurers, and the government is also restricted. Ironically, the combination of these two restrictions limits a patient's right to due process under the law and puts the patient in a compromised position for defending his or her legal rights against powerful corporate and government entities who may have already built a case against him before he was allowed to know about it.

Relationship to State Laws
The fact that at least five pages of rationale are written regarding the relationship of State law to the regulation shows a decided attempt by the Department to preempt State law even though the statute prohibits it. The regulation's extensive examination of statutory language ("more stringent" "contrary," "relates to the privacy of individually identifiable health information," and "State law") seem to provide the Secretary with some ability to intervene and interfere with State legislation. This regulation as written is not capable of protecting patient privacy, whereas State legislation has proved protective for many. No attempt should be made to interfere with state legislative decisions that align with the desires and needs of local constituents.

These regulations effectively dismantle medical privacy, medical confidentiality, reliable research, and patient and citizen confidence. The Secretary seeks unprecedented access to patient medical records under her newly prescribed national priorities. We strongly oppose the intrusiveness and sweeping new government powers of medical record access proposed by these regulations. We recommend that a new draft of privacy regulations--focused on truly protecting patient privacy--should be written. As always, we are available to answer your questions.


Twila Brase, R.N.

"A citizens' resource for designing the future of health care"

Citizens' Council on Health Care
1954 University Ave. W., Suite 8
St. Paul, MN 55104