April 26, 2002
U.S. Department of Health and Human Services
Dear Secretary Thompson:
The Association of American Physicians and Surgeons (AAPS) has submitted detailed comments in the past regarding numerous problems with the Privacy Rule. The problems remain even with these revisions. In fact, we are concerned that the problems may be exacerbated as the proposed revisions actually reduce medical privacy.
Modifications published in the March 27, 2002, issue of the Federal Register continue to reflect the failure of HHS to make several fundamental distinctions:
Use vs. Disclosure
To prevent full and open communication between persons responsible for a patient's care, or to restrict use of information that may pertain to diagnosis or optimal treatment, is to mandate medical malpractice. A patient's request for treatment implies consent to use information that may be necessary for that treatment.
Last August, AAPS testified at hearings held by the National Committee on Vital and Health Statistics regarding the "minimum necessary" standard (testimony attached). Our testimony, as well as that of most of the other witnesses, outlined the arbitrary nature of a "minimum necessary" standard, and the difficulties in enforcement.
It is impossible to define a "minimally necessary" data set; it is impossible to know in advance just what piece of information may be life-saving.
Problems with potential misuse of data concern disclosure of data outside the practice or institution to which the patient has entrusted his care. Patient consent for such disclosures has traditionally been required; medical ethics forbids such disclosures without consent. The enormous burden of the Privacy Rule resulted from the attempt to dictate the form of the consent, to extend consent to use of information in patient care, and to force providers to attempt the impossible task of defining "minimally necessary" for each and every disclosure - again, not from an arbitrary concept of requiring consent.
Clinical Use vs. Other
Sections 164.502 and 164.506 of the Rule would actually increase the ability of third parties to access medical records without patient consent. These entities could include insurance companies, data-processing firms and Health Maintenance Organizations.
The umbrella definition covered services of treatment, payment, operations - "TPO" is problematic, lumping payment, marketing and an unlimited number of other functions into the same category as clinical use of the PHI and requirements for consent and disclosure.
The Privacy Rule does not make a clear distinction between third parties and caregivers. The ethical practice of medicine requires separation from the business of insurance. Today's third-party arrangements tend to integrate these two functions and blur the distinction between them. Patients may be willing to accept the inevitable loss of privacy as a trade-off for third-party payment. They should not, however, be forced to relinquish their right to privacy if they receive no benefit in exchange. Thus, patients who pay directly for medical services without filing a claim with a third party should never be required to "consent" to disclosure for payment purposes.
Further, the use of the PHI and disclosure with the end use of marketing is not well defined. This was quite evident at the hearings on this issue held by the National Committee on Vital and Health Statistics subcommittee on January 24, 2002. One Committee member commented that listening to the witnesses, one would think they were talking about different regulations.
We reiterate our testimony at that hearing - the simple solution would be to remove marketing from the definition of TPO.
Patients' Interests vs. Others' Interests
The bulk of the Privacy Rule concerns the interest in parties other than the patient in using data for their own purposes, which may actually be contrary to the patient's best interest. In this "balancing" act, the individual patient is reduced to virtual insignificance. As we have pointed out, the Rule does not even segregate activities -- especially marketing -- that are of no relevance to actual medical care.
While there may be legitimate uses of an individual's medical information for research and/or other uses for the "public good," the Constitution prevents coercion of this disclosure without patient consent.
Notification vs. Consent
Section 164.512 : Notification is not the same as consent. And "required consent" as a condition of obtaining treatment is not the same as voluntary consent, whether or not the patient signs a form.
We are disappointed that a number of complaints voiced by thousands who filed their comments have not been addressed in these revisions.
First, is that the Fourth Amendment issues have not been resolved. We urge revisions that would require law enforcement officials to be required to obtain a warrant before seizing private medical medicals.
Second, the sections that require physicians to provide the government with PHI for the sole purpose of monitoring compliance should be eliminated.
And finally, we urge you to add language that would make clear that any and all private contracts - entered into by patients freely, rather than by government coercion -- be made exempt from the rules.
JANE M. ORIENT, M.D.