August 6, 2005
BY OVERNIGHT DELIVERY
CMS Privacy Officer
Re: Notice of a New System of Records (SOR), 70 F.R. 38944
Dear Privacy Officer,
These comments are submitted on behalf of the Association of American Physicians & Surgeons, Inc. ("AAPS"), a nonprofit group of thousands of physicians that was founded in 1943. AAPS is one of the oldest and largest physician organizations funded virtually entirely by its membership, in contrast to other medical groups influenced by reliance on income based on government policies, industry or foundations. For more than sixty years, AAPS has been dedicated to the protection of the practice of ethical and private medicine. The motto of AAPS is "omnia pro aegroto," or "all for the patient." AAPS frequently comments on proposed regulations and often participates in litigation concerning various government actions.
AAPS has three primary objections to the "Notice of a New System of Records (SOR)."
First, the Health Insurance Portability and Accountability Act (HIPAA) does not confer any authority on the federal government over entities that are "non-covered" under HIPAA. HHS has consistently stated that physicians who do not engage in any electronic transactions are not covered by HIPAA, and are thus beyond statutory authority to regulate them under HIPAA.
Accordingly, a complaint about a "non-covered" entity should never be entered into SOR or stored or disseminated by it. The federal government simply lacks authority to maintain such information about non-covered entities, or distribute it. A threshold determination about jurisdiction over a complaint must be made, and those lacking in jurisdiction should never be entered into the system.
Second, it is entirely baseless for SOR to maintain information about any entity, covered or non-covered, for up to 25 years. Most federal statutes of limitations for crimes are only five (5) years, and that should be the maximum period for retention of information. To hold such material for five times longer than the statute of limitations is unjustified.
Third, there are insufficient safeguards against access to this information by "agency contractors or consultants" (No. 1) or a "CMS contractor (including, but not necessarily limited to fiscal intermediaries and carriers)" (No. 5). Such contractors or consultants often harass physicians improperly in connection with financial disputes, and unfettered access by such contractors or consultants to this complaint information would be improper and without statutory justification. At a minimum the physician should receive prior notice and a meaningful opportunity to object prior to releasing this information to his adversary.
Thank you for your consideration of these comments prior to promulgating the final rule.