March 26, 2001
The Honorable Thomas Thompson
Dear Mr. Thompson:
Thank you for this additional period to comment on these regulations concerning the dissemination of confidential medical records, which are deceptively referred to as "privacy" regulations. Yes, they would have unintended consequences: the worst would be to enable if not actually guarantee wholesale invasions of privacy.
We fully support the effort in Congress to repeal this work of the previous Administration.
AAPS is a nationwide organization representing thousands of physicians in all specialties, who care for hundreds of thousands of patients. The association was founded in 1943 to preserve private medicine, traditional medical ethics, and the sanctity of the patient-physician relationship.
We were among the 52,000 who submitted comments on the draft regulations. Despite the extensive objections that were raised, the final regulations are worse than the draft and extend the onerous regime to all medical records, even handwritten ones, despite the acknowledged lack of statutory authority to do so. (Section 164.501, Definitions, Secretary's discussion of the definition of "Protected health information" on p. 82496.) We object to this expansion of the regulations.
Later in this letter, we will cite additional specific troublesome sections of the regulations. However, because the regulations are flawed in concept as well as in execution, we will begin with a discussion of basic principles.
1. Once data are entered in standard format into a networked computer, it is technically impossible to guard against widespread dissemination. Supposedly secure government computer systems, even in the Pentagon, have repeatedly been compromised. Yet, Administrative Simplification could ultimately force such data entry on all lawful medical encounters. We understand that electronic data will be mandatory for all insurers to supply if any provider requests it.
Any meaningful privacy protections must be implemented before entry into the electronic network. The protection could be of two basic types: nonentry of data, or entry in an encrypted form accessible only to those who have patient consent.
Technical means should soon be available to permit reliable, low-cost methods to facilitate or prohibit access, with the patient-not the government, a third party, a "business associate," or a "health oversight" official-in control. Any regulation should, at minimum, be delayed until the potential for such measures is better known. Otherwise, medical facilities, physicians, and insurers will be burdened indefinitely with antiquated, cumbersome, ineffective, expensive means that only pretend to protect privacy, while a new industry is strangled in its cradle.
Patients may be willing to permit entry of most of their medical data in return for receiving third-party reimbursement. However, they should never be forced to permit such data entry as a condition of receiving medical treatment (as would be the case under the Clinton/Shalala rules, Section 164.506(b)(1), p. 82511). Self payment, or payment through a mechanism that does not contractually require intrusive data gathering and broad access, should always be permitted.
Law enforcement and oversight agencies already have the authority to obtain records through court orders and subpoenas. The U.S. Constitution forbids the intrusion of government into private homes and papers for fishing expeditions; probable cause of wrong-doing must be established first. As we have previously commented, the Clinton/Shalala regulations attempt to repeal the Fourth Amendment to the U.S. Constitution. Immediate court challenges are likely. The impression that the government is intent on prying into everyone's private affairs-even if the data gathering is well intentioned and never abusive-will fuel citizens' suspicions of their government.
2. The Clinton/Shalala regulations impose heavy costs and are likely to drive small insurers and small medical offices out of business. Government agencies have a long and dismal history of vastly underestimating the costs that they impose. There is no accountability for the estimates when the real numbers come in; productive Americans just have to bear the burden, or be crushed by the load. Once small businesses fold, they are gone forever. Americans will be at the mercy of the few giants that survive if small insurance companies and solo or small medical practices vanish. Complex regulations also raise the barrier to marketplace entry and thwart innovation.
3. "Administrative Simplification"-of which the "privacy" regulations are an integral part-depends upon unique national identifiers for both patients and physicians, and provides the infrastructure for the complete government takeover of medicine envisioned by Clinton. Americans are overwhelmingly opposed to such identifiers, and to the networked government-mandated data bases that they enable. Regulations that depend upon an unconstitutional provision-that is obnoxious to most Americans-need to be withdrawn. This Administration should not be a party to the covert implementation of an essential piece of the Clinton Health Security Act that was rejected once Americans learned of its implications.
The term "Administrative Simplification" was used frequently in the documents of the Interdepartmental Working Group of the Clinton Task Force on HealthCare Reform, which had to be made available to the public as a result of our lawsuit, AAPS v. Clinton”. This lawsuit asserted that the secret operations of the Task Force violated the Federal Advisory Committee Act. Indeed, "Information Systems and Administrative Simplification" was the charge of Working Groups 10 and 19.
One of the Briefing Books prepared for Bill Clinton and Hillary Rodham Clinton stated: "A standard benefit package, guaranteed coverage, reforms relating to pre-existing conditions, creation of regional health alliances and imposition of standard premiums will act to reduce the traditional variable requirements between insurance companies.... [A]dministrative simplification is not the primary rationale for these health reforms, but it is necessary to support them."
In other words, Administrative Simplification was designed as a means to an end: a government takeover of medicine. It was not an end in itself. Its design served its intended purpose. Not surprisingly, the design is ill suited to (and indeed inimical to) the efficient functioning of a free marketplace or the protection of individual rights.
Another illustration from the Task Force documents that the Clinton Administration never wanted to see the light of day: A memorandum from Tim Hill to Rita Lavizzo-Mourey, found in Box 3810 at the National Archives II, said that Administrative Simplification would "require, by July 1, 1994, all providers, plans and public programs to use the claim forms, enrollment data sets and utilization review standards set forth by the Secretary. ... Plans that continue to use other forms, instructions, or UR procedures that are not consistent with those promulgated by the Secretary shall be subject to civil monetary penalties. ... Authorize the Secretary of HHS to, after December 1, 1995, mandate the automation of transactions for which she has promulgated standards."
The Clinton/Shalala regulations are designed to work with the forced automation and standardization envisioned here. They are appropriate for a monolithic, compulsory, uniform system ruled by top-down dictates that criminalize the use of the wrong form. They make many references to "enrollment" and "utilization review"-concepts that have little to do with the patient's concern about confidential records but much to do with expansive, minute regulation of health insurers-and with forcing Americans into the type of hated managed-care arrangements against which they are now rebelling.
Because the purpose of Clinton Administrative Simplification was to enable government agencies to share data in order to establish central control, a destructive effect on privacy was inevitable. A computer system is either designed to protect data (as the Department of Defense computers are supposed to do) or to facilitate sharing. The same system cannot do both.
Just as the Clinton Health Security Act would have destroyed free-market medicine, the Clinton/Shalala regulations are destructive of a diversified, innovative, flexible, variable, customer-driven, free-market system.
The enabling statute for the regulations was lifted wholesale from the Clinton Health Security Act and grafted onto a supposedly simple bill meant to facilitate insurance portability, unbeknownst to most members of Congress. Thus, while the Republicans may have taken over Congress in 1994, thanks to outrage over the Clinton plan, the plan itself remained in the staff computers. The Administrative Simplification section was passed into law and then-by default-turned into regulations by its original authors.
It is very fitting that Congress and this Administration should start afresh with the idea of protecting privacy, rather than with the goal of painting a privacy fig leaf over a naked attempt to nationalize all medical records.
A full, open public debate must precede new regulations to assure that their foundation is sound and that they have informed support, rather than just the urging of a "do something, do anything" mentality.
4. The Clinton/Shalala regulations would force a major change in the practice of medicine, with a fundamental transfer of power over information from professionals and patients to government agencies. Major cultural changes have major unintended consequences. A 30-day comment period is totally inadequate for discovering what such consequences might be.
Compliance requirements, rather than professional ethics and judgment, will dictate medical record-keeping, which will in turn impose changes in clinical thinking and practice.
Inordinate resources will have to be devoted to compliance efforts and thus diverted from patient care. Given the length, complexity, and internal inconsistency in the rules, a whole new industry is springing up to "help" physicians in attempting to comply. The very idea of imposing rules that the most highly educated people in the nation can't understand is outrageous on its face. The ability to sustain a practice will depend on the ability to afford expensive consultants rather than on talent and responsiveness to patients' needs.
Some specific notes:
On p. 82470, it is stated that "Section 1177 establishes penalties for any person that knowingly uses a unique health identifier,... in violation of this part." This assumes the existence of the identifier, to which the majority of Americans object, and which cannot be implemented because Congress has denied funding.
On p. 82472, under "Enforcement," the Secretary delegates her enforcement authority to the Office of Civil Rights, which has no expertise in medical records.
One example of conflicting requirements that will confront covered entities is found in the "Implied Repeal Analysis" on p. 82482. The privacy regulation in Section 164.512(a) forbids certain disclosures that may be required by another regulation, such as the Clinical Laboratory Improvement Act. Which rule is a person to obey?
The rule appears to prevent parents from exercising their responsibilities in certain instances, as in Section 164.501--Definitions, on p. 82493, where "individual" is defined. Here, the Secretary intrudes into family life and the parent-child relationship. An unemancipated minor has exclusive right to determine whether a parent or guardian can obtain access to information about a procedure lawfully obtained without parental consent. Presumably, this refers to abortion. What is a physician to do if he needs information and parental consent to save an unemancipated patient who is critically ill, possibly due to a complication of an abortion?
Section 164.506(c), p. 82511, requires that consent forms be written in plain English, satisfying a number of broad requirements, but no model consent form is provided. A provider apparently must guess about whether his consent form is adequate. Further difficulties arise, see p. 82549, in that notices must be written in plain language in a foreign tongue when a "significant number or proportion" of the population "eligible to be served" are not English proficient. Apparently, definitions of terms such as "significant" will be at the discretion of the Office of Civil Rights. Regulations dependent on arbitrary later definitions at the discretion of an agency are unconstitutionally vague.
The complexity of compliance is illustrated by the instructions for segregation of records (Section 164.502(i), p. 82550) each time an entity changes its privacy notice.
Section 164.514(d), p. 82543, attempts to define "minimum necessary." Trying to adhere to this one section could turn every routine request for medical records into a federal case, hampering the timely transmittal of important information. This is another example of unconstitutional vagueness.
Section 164.512(b) permits the disclosure of protected health information to officials of foreign governments who are cooperating with pubic health authorities. We object to this potential bypass of all privacy protections simply by putting the information into the hands of those who are not bound by U.S. law, at the discretion of a public health official.
Many other specific issues could be raised. These are simply illustrative of the fundamental deficiencies in these regulations.
We strongly urge the repeal of the Clinton/Shalala regulations and the development of fundamentally different privacy protections, with delay long enough to permit extensive public input as well as the maturation of new technology.
We emphasize that privacy protection must occur before entry of data into a networked computer, which should require informed patient consent. Any federal regulations should concern only the protection of data voluntarily entered in this way into interstate commerce, and should not alter or override the duty of professionals to guard confidences. Under no circumstances should federal regulations require the electronic entry of data as a condition for obtaining private medical services.
Jane M. Orient, M.D.