September __, 1998

Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0049-P
P.O. Box 26585
Baltimore, MD 21207-0519

Re: PROPOSED RULE HCFA-0049-P

To Whom It May Concern:

The Association of American Physicians and Surgeons ("AAPS") hereby submits its comments to proposed rule HCFA-0049-P ("Proposed Rule").

AAPS is a not-for-profit membership organization that represents thousands of physicians in all practices and specialties. It was established in 1943 to preserve the practice of private medicine, and has remained dedicated to the Oath of Hippocrates and protecting the sanctity of the patient-physician relationship. It is incorporated in the State of Indiana and is tax-exempt under Section 501(c)(6) of the Internal Revenue Code.

AAPS objects to the Proposed Rule because HCFA arbitrarily delegates to private entities its statutory obligation to establish the standards. As the Proposed Rule expressly acknowledges, "Paragraphs (c) through (f) of section 1173 of the [Social Security] Act require the Secretary to establish ¬ security standards for health care information systems." 63 F.R. 43241, 43243. The Proposed Rules, however, fails "to establish" any actual "security standards." Rather, the Proposed Rule merely promulgates procedures under which private entities can establish their own rules. Moreover, many of the procedural requirements set forth in the Proposed Rule are counterproductive with respect to medical record privacy, and others are of no value due to glaring inadequacies.

The Proposed Rule then arbitrarily delegates enforcement of security to private businesses that compete with physicians and with each other. In addition, the Proposed Rule purports to preempt State laws unless expressly exempted by the Secretary, and no such exemptions were included in the proposal. Finally, the Proposed Rule would impose unjustified burdens on physicians, in violation of the Paperwork Reduction Act and the Regulatory Flexibility Act. Physicians would be subjected to numerous different standards developed by private entities under the Proposed Rule, and be subjected to an additional costly layer of bureaucratic procedure without substantive benefit.

AAPS respectfully urges the Health Care Financing Administration ("HCFA") to reconsider its Proposed Rule in light of these comments.

A. THE "SECURITY STANDARD -- GENERAL" (SECTION II.D).

The Proposed Rule imposes procedural burdens without any substantive benefit to security. Specifically, the Proposed Rule acknowledges that:

The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements. How individual security requirements would be satisfied and which technology to use would be business decisions that each organization would have to make.

63 F.R. at 43250. The actual standard for security is thereby delegated to the discretion of the private entities, at the expense of medical record privacy.

The Proposed Rule states that its procedural requirements were developed in order "to determine an appropriate balance between the primary concerns of patients and the information needs of various users of health care information." Id. (quotations omitted). Specifically, the Proposed Rule relies primarily on the following recommendation of the National Research Council:

"The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the primary concerns of patients and the information needs of various users of health care information."

Id. (quoting the National Research Council's 1997 report, For The Record).

Moreover, it is arbitrary and capricious for the Proposed Rule to impose lengthy procedural requirements on individual physicians without any justification that these procedures will significantly improve the security of medical records. For example, the proposed procedural requirements for extensive data backups is irrelevant to protecting against unauthorized access, and in fact increases the opportunity and likelihood for an invasion of privacy by a computer operator. Proposed Sec. 142.308(a)(3); 63 F.R. at 43266. The proposed procedural requirement of "information security awareness training programs" will likely increase the vulnerability of the data in large organizations by increasing the numbers of employees who have knowledge about the system. Proposed Sec. 142.308(b)(6); 63 F.R. at 43268. The proposed procedural requirement of a password (or equivalent) for entity authentication is meaningless, or even counterproductive, without an additional requirement that the password not be shared among multiple users. Proposed Sec. 142.308(c)(1)(v)(C); 63 F.R. at 43268. Moreover, this password requirement is inappropriate for small physician offices where the access to the computer is limited to a few individuals, lacks external dial-up access, and is kept under lock and key.

B. THE "TECHNICAL SECURITY SERVICES" (SECTION II.D.3).

The Proposed Rule requires encryption for the transmission of medical records over the Internet, but arbitrarily fails to require encryption for medical record files that are stored on a multi-user system. See id. at 43255-56. Electronic medical records that are stored in files on a multi-user system must be encrypted to protect privacy for the same reason that records transmitted over the Internet must be encrypted: it is simply too easy, and the incentives for unauthorized access too great, to omit protections for such highly personal information. It is far easier to access records through a large multi-user system than to intercept them during transmission over the Internet, and thus encryption on such multi-user systems must be mandatory.

C. ENFORCEMENT (SECTION II.I).

The Proposed Rule states that "[w]e envision the monitoring and enforcement process as a partnership between the Federal government and the private sector." Id. at 43259. Neither the statute nor due process under the Constitution permit this "public/private" partnership. The provision of medical services is economically competitive, and it is a violation of constitutional rights to due process for HCFA to delegate enforcement responsibilities to private competitors. Even non-profit entities, like the "private accreditation bodies" referenced in the Proposed Rule, are often controlled by narrow market interests. Id. The Proposed Rule arbitrarily imposes "industry-developed checklists" upon "[s]mall providers" without due process protections. Id. This delegation of enforcement authority to private entities is neither permitted by the statute nor by the Constitution.

The Proposed Rule states that "HHS would likely retain the final responsibility for determining violations and imposing the penalties specified by the statute." Id. (emphasis added). This procedure is plainly inadequate. Due process requires that HHS have initial as well as final responsibility for determining any violations and imposing any penalties. The Constitution and the enabling statute prohibit a system whereby one competitor, or a non-profit group beholden to that competitor, can determine violations by and impose penalties on another competitor.

Finally, the Proposed Rule arbitrarily fails to establish meaningful penalties for actual unauthorized access to medical records. The Proposed Rule should define what constitutes unauthorized access, and it should set forth penalties tailored to the size of the organization for such unauthorized access.

D. IMPLEMENTATION (SECTION III).

The Proposed Rule purports to preempt State law:

The security standard would supersede contrary provisions of State law including State law requiring medical or health plan records to be maintained or transmitted in other electronic formats. There are certain exceptions when the standards would not supersede contrary provisions of State law; section 1178 identifies those conditions and directs the Secretary to determine whether a particular State provision falls within one or more of the exceptions.

63 F.R. at 43259. But the Proposed Rule does not include any substantive protections for the privacy rights of patients in electronic medical records, and pursuant to the above provision the Proposed Rule attempts to preempt State privacy laws with respect to such records. The above-quoted passage declares that the Secretary has the authority to "determine whether a particular State provision falls within ¬ the exceptions." This is contrary to Section 1178, which expressly exempts State privacy laws regardless of any determination by the Secretary. 42 U.S.C.  1320d-7(a)(2)(B).

By omitting clarification with respect to State privacy laws, the Proposed Rule arbitrarily creates confusion about the applicability of State privacy laws with respect to electronic medical records. The Proposed Rule enables managed care organizations to demand medical records in contradiction of the privacy policy of certain States, so long as HCFA has not expressly exempted such privacy policy from the regulation. Patients, however, will continue to expect, and rightfully so, that their privacy be fully protected at all times. It is essential that the Proposed Rule contain express and specific exemptions of State laws with respect to medical privacy.

E. THE "COLLECTION OF INFORMATION REQUIREMENTS," THE PRA AND RFA (SECTION VII).

The Proposed Rule violates the Paperwork Reduction Act ("PRA") and the Regulatory Flexibility Act ("RFA") by failing to consider and estimate the enormous burden imposed by the proposed regulatory requirements. While a comprehensive procedural structure may impose small proportional costs on a large organization, small physician offices with a single-user computer system will incur proportionally large and unnecessary costs from the additional procedure requirements. The Proposed Rule, however, imposes cumbersome procedural requirements on even the smallest of offices, without commensurate benefit. These procedural requirements impose a substantial proportional cost on small offices of thousands of dollars per year. Requirements concerning electronic signatures must likewise be evaluated under the PRA and RFA. The old-fashioned lock-and-key approach provides far more security in a small physician's office than the proposed procedures would.

CONCLUSION.

AAPS respectfully urges HCFA to consider and implement the above modifications with respect to HCFA-0049-P. Please contact me if I can be of further assistance.

Sincerely,

Jane Orient, M.D.
Executive Director