AAPS Analysis:
Standards for Privacy of Individually Identifiable Health Information

The document to which this analysis refers can be retrieved at http://aspe.hhs.gov/admnsimp/

Note that the original deadline for receipt of comments was January 3, 2000, now extended to Feb. 17. Send one original, three copies, and if possible a 3.5-inch floppy disk in Adobe Acrobat Portable Document Format (PDF) (preferred) HTML, ASCII text, Microsoft Word, or Corel WordPerfect to:

U.S. Dept. of Health and Human Services
Asst Secretary for Planning and Evaluation
Attention: Privacy-P
Room G-322A
Hubert H. Humphrey Building
200 Independence Ave. SW
Washington, DC 20201

Comments from AAPS, Representative Ron Paul, and possibly others will be posted at www.aapsonline.org under "Testimony." Please send us a copy of your comments. Remember to mention that you represent ___ patients and are an active member of AAPS, ___ County Medical, etc. Summary: "The rules... propose standards with respect to the rights that individuals who are the subject of this information should have."

It is unconstitutional to have an administrative agency as creator and definer of rights. The scope of authority of HHS should be narrowly interpreted to set federal standards for the protection of electronically transmitted medical information, not to seize control of all such information and dictate that it may be used for any purpose authorized by HHS.

I. Background. A. Need for privacy standards. The Secretary notes that one-sixth of respondents have taken action to avoid misuse of their information, such as withholding or providing inaccurate information. This is probably a serious underestimate. Nearly 75% of physicians responding to an AAPS survey stated that they had withheld information to protect patients' privacy. I. C. Administrative costs. "Even if the rules proposed below were to impose net costs, which we do not believe they do, they would still be `consistent with' the objective of reducing administrative costs for the health care system as a whole."

The rules, we believe, will impose enormous net costs on those who care for the sick. The savings will accrue only in other areas such as research, federal monitoring of medical services, law enforcement, and fiscal operations of health plans. HHS should be not be permitted to use benefits to a sector that most Americans do not even consider to be part of the "health care system" to offset costs imposed on medical facilities, in order to calculate a net savings.

I.E. Summary and purpose of the proposed rule. The Secretary notes that there is no individual cause of action for individuals whose privacy rights are violated.

We concur that this is a serious omission. Penalties are extremely harsh yet completely unrelated to harm (if any) resulting from a rule violation.

I.E. The secretary notes that "any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create."

This gap may be the patient's sole means of protecting against broad access to his medical records by government as well as private and quasi-governmental special interest groups. We object to the Secretary's attempt to exceed statutory boundaries: "Although we are concerned that extending our regulatory coverage to all records might be inconsistent with the intent of the provision in HIPAA, we believe that we do have the authority to do so." The mere fact that a piece of information has once passed through any type of computer (as through a paper-to- computer FAX) should not constitute an automatic authorization for broad use.

I. E. 1. Applicability, b. Protected health information. "Under our proposal, most uses and disclosures would not require explicit authorization by the individual, but would be restricted by the provisions of the rule."

Expanded use, rather than protection, will be the actual effect of these rules. The protection is merely an unsecured promise that the information will be as safe as, say, tax records (but not as safe as records of video rentals).

I.E.4,5. Uses and disclosures with individual authorization and uses and disclosures for treatment, payment and health care operations.

Notably, authorization will be required for uses that an individual might find to be in his own interest: employment, disability benefits, litigation, or the development of marketing strategies to meet his needs more effectively. Yet authorization is not required precisely for those uses that are generally not in an individual's own interest. The Secretary has assumed the power to "balance" the individual's privacy with "other social values," such as smooth operation of the health care system and other "national priorities." The rules are reminiscent of totalitarian systems that guaranteed the same rights as the U.S. Constitution, and then voided them with the phrase "except as provided by law." (See the 13th bulleted point: "Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure.")

I.E.8. Administrative requirements and policy development and documentation.

This provision requires every "covered entity" such as a physician to appoint a "privacy official" and develop the functional equivalent of a scaled-down police bureaucracy for its internal medical records procedures (even if complaints about physicians' use of medical records are nonexistent to rare). At the same time, "noncovered entities," which are much more likely to be a problem, are under no such obligation. In fact, it is the duty of the covered entity to monitor the noncovered entity and "punish" unacceptable practices, even though the only available punishment is to deprive the business partner of future business. Generally, such threats work well in the free market, but in an increasingly regulated market, they are severely hampered by the lack of available alternatives.

II. Provisions. A. Applicability. 1. Covered entities. "Health care providers who themselves do not directly conduct electronic transactions would become subject to the provisions of the proposed rule if another entity, such as a billing agent or hospital, transmits health information in electronic form in connection with a standard transaction on their behalf."

This imposes vicarious liability on physicians, who would be responsible for transactions over which they have little if any control. They have no discretion about the occurrence of such transactions unless they withdraw from hospital practice.

II.A.2. Covered information. a. Legislative authority. "Health information is considered relatively `safe' today, not because it is secure, but because it is difficult to access."

Indeed, health information is relatively safe today. Once it becomes easy to access, it will inevitably be much less safe, as the drafters of HIPAA recognize. These regulations will not increase safety but will compromise it further.

II.A.2.a. The Secretary apparently assumes that her authority is (or should be) plenary unless explicitly limited: "In HIPAA, when Congress intended to limit health information to its electronic form, it did so explicitly." Thus, the regulations are expanded to non-electronic media where they "support the overall goal of enabling electronic information interchange."

There is no inherent restriction in this caveat. Anything, even a physician's notes to himself, could be construed as supporting this goal. There is no constitutional authority to delegate such unrestricted power to an administrative agency.

II. B. Definitions. 4. Health care clearinghouses. "We propose to exempt clearinghouses from a number of the provisions of this rule...because in most cases clearinghouses would not be dealing directly with individuals."

We believe that clearinghouses should be covered precisely because they do not deal with individuals who might serve to constrain their actions. Capability of misusing data (where such misuse certainly does have the power to harm the individuals who are the subject of the information) should be the operative factor, not whether the entity "deals with individuals."

II. B. 7. Health plans. p. Other plans: "[T]he provisions of this rule generally would NOT apply to certain types of insurance entities, such as workers' compensation...."

This provides an obvious and giant loophole for entities intent on profiting from disclosure of information with the potential to be extremely harmful to an individual, as by affecting prospects of employment.

II.B. 20. "Law enforcement official" is defined very broadly.

This "new" definition could apply to any county or municipality official, even one without law enforcement training of the traditional type. Such an official might be on a fishing expedition for failure to comply with any of millions of pages of federal regulations totally unrelated to health care as generally understood or to crimes that lead to recognizable harm to any individual. As for investigating "health care fraud," HHS already has gained enormous power for issuing administrative subpoenas, and there is no justification for extending that power even further. Conveying expansive new powers to every official engaged in some form of "new" law enforcement is very far removed from the stated purpose of legislation to achieve "administrative simplification."

II.B. 21. Payment. "We offer a new definition of payment."

This is another "new" definition that vastly expands the power of government and other third party "payors," turning them into controllers as well-despite current public pressure to take medical decisions out of the hands of third parties.

II.C.b. Health care operations. The Secretary's definition of "health care operations" is so broad that she finds it more helpful to list things that are NOT "health care operations." This is the narrow range of activities for which "protected" health information may not be used without explicit authorization. These include marketing, insurance underwriting, and employment determinations.

The definition of "health care operations" is far too broad. There should be a short list of activities for which information may be released (such as emergency treatment, situations constituting a clear and present danger to self or others, or evidence of a crime involving direct injury to person or property). In other words, in these rules the prohibitions are backward. The default option should be NONdisclosure.

II.E.5.i. "If a misperception were to develop that law enforcement had instant and pervasive access to medical records, the goals of this proposed regulation could be undermined."

We agree. Nonetheless, whatever the perception, the reality of these regulations is that "law enforcement," including agencies not concerned with protecting citizens against the dangers that concern them (e.g. violent crime), does acquire vastly expanded access.

II.E.6. Government health data systems: "The data are an important resource that can be used for multiple policy evaluations."

It appears that citizens could be nonconsenting research subjects in a wide variety of public policy experiments.

II.F.1 IV. Preliminary regulatory impact analysis. The Secretary estimates a cost of $1 billion in the first year of implementation. This estimate disregards "administrative simplification" costs as well as a large number of other costs.

It is fair to say that the cost of the regulation is unknown but much higher than $1 billion. It will be disproportionately higher and possibly prohibitive for small providers. A likely result is further consolidation of the system into a few giant monoliths, with a great decrease in patients' options.

IV.C. Need for the proposed action. The Secretary makes reference to the importance of the Fourth Amendment, with emphasis on the fact that the right is not absolute.

The key, once again, is the definition of terms, in this case, "unreasonable." Anything that theoretically furthers the pursuit of a "transcendent" value such as health is presumably "reasonable." Having an administrative agency determining the limits of an unalienable right is in itself unconstitutional.

General Concerns: These regulations would deny, as a matter of federal law, the right of individuals to control access to their medical records. They would undermine the patient-physician relationship and impair the quality of medical care. They could create a backdoor for implementing the unique numbering system to which Americans are adamantly opposed.

Conclusion: We recommend that this rule be withdrawn, to be completely rewritten so as to be consistent with the Constitution and a narrow interpretation of the statute.