STATEMENT to the Committee on Government Reform and Oversight Subcommittee on Government Management, Information and Technology U.S. House of Representatives

Hearings on: The Health Information Protection Act [Discussion Draft] June 14, 1996

CONTACT: Jane M. Orient, M.D.
(520)327-4885; FAX: (520)326-3529

The Association of American Physicians and Surgeons (AAPS), founded in 1943 to protect private medicine and the patient-physician relationship, represents physicians in all specialties nationwide.

The Association is deeply concerned that any Act that has the potential to alter or impair long-standing ethical principles or traditional human relationships should be enacted only after long and careful consideration, with many opportunities for wide public discussion.

Under no circumstances should such an Act be adopted in haste, with urgency to ``pass something, anything'' in the hope that it can be amended later, after an infrastructure is already set in concrete, as was suggested by one panelist testifying before the Committee during the hearings on June 14, 1996.

Our specific concerns about the Health Information Privacy Protection Act include: The creation of a new entity called a ``health information trustee,'' which subsumes physicians and other ``health care providers,'' placing them in the same category as ``health plans,'' ``health oversight agency,'' and ``public health authority.''

The destruction of the patient-physician relationship:

Under present private-practice arrangements, the patient's personal physician is responsible to the patient for the confidentiality of the record and is bound by an ethical code. The Oath of Hippocrates provides that: ``All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not be spread abroad, I will keep secret and never reveal.'' It is only under exceptional circumstances, such as direct and imminent danger to others, that the law of the state is held to override this obligation.

Under the proposed new structure, the physician is but one of many ``trustees,'' and his authority and discretion are denied under a broad and vague range of circumstances. He may be prohibited by law from making disclosures necessary for the optimal treatment of his patient (say by lack of written consent) and commanded, under threat of legal sanctions, to release information to the detriment of his patient, for example, for a law enforcement inquiry, which may involve ``a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute,'' [however trivial or remotely related to the receipt of a medical service]. (See Section 211(b). The idea of using medical information to track down witnesses in unrelated matters, as would be permitted by Section 211(b)(1) is chilling. In addition, Section 211(a)(3) is far too broad.)

Most of the ``trustees'' have no direct responsibility to the patient, and no direct knowledge of or contact with the patient. Yet their authority and discretion are equal to or superior to that of the physician.

The potential for the conversion of the medical record into a tool for coercive central planning and social engineering, without the patient's knowledge or consent.

The Act appears to assume extensive conversion of medical records into entries in a networked computer system. It fails to guarantee and even undermines the single most important safeguard: the right to keep one's private information out of such a system, in the exclusive custody of the patient and his chosen agents such as his private physician and others directly responsible for his care.

The potential for abuse of confidential records is highlighted by the recent collection of security files on individuals possibly targeted by the White House for political reasons.

Penalties disproportionate to the seriousness of offenses and lack of requirement to prove criminal intent for imposing civil penalties.

Any person ``who the Secretary determines has substantially and materially failed to comply with this Act shall be subject'' to penalties. Inadvertent violations of obscure regulations, even if no harm to an individual results, can be punished very severely ($10,000 fine per offense). Yet the sale of information, potentially for many millions of dollars, carries a maximum civil penalty of $250,000. No distinction is made between individual physicians involved in direct patient care and billion-dollar ``health plans,'' which have enormous capabilities for diffusing responsibility and avoiding criminal sanctions (which, appropriately, depend on proving criminal intent).

Loss of right to sue for damages resulting from disclosure of protected information.

The only protection that individuals have from harmful disclosures is through law enforcement agencies. Offenders may be punished or deterred, but how is the victim to be compensated if harmed by behavior that complies with the letter of the law as assessed by bureaucratic agencies (which are by no means immune to influence from well-funded special interests such as the information processing industry)?

A comparable law would deprive patients of the right to sue for medical malpractice as long as the ``providers'' had complied with the letter of the law and avoided the commission of an actual crime.

CONCLUSIONS

At a minimum, it is essential that the following provisions be included in any health care information legislation:

1. The right of all Americans to seek medical treatment outside of any medical insurance plan in which they may be enrolled should be explicitly guaranteed-especially (but not exclusively) if the plan requires or permits the compilation of or access to information, which relates to a patient's medical condition or to physician-patient communications, by anyone other than the patient's own physician or person acting under the direction of such physician.
2. Compilation of or access to information, which relates to a patient's medical condition or to physician-patient communications, by anyone other than the patient's own physician or person acting under the direction of such physician, must require the patient's express, fully informed consent.
3. No medical professional may be required to perform any act that violates his conscience as a condition of being permitted to practice his profession or specialty.
4. Patients should have a cause of civil action against any individual or entity, including an agent or agency of the government, who causes him harm by the misuse of computerized data. To this end, any electronic data processing system established under this Act should include a mechanism for tracking all individuals who access identifiable records.

These essential requirements were presented in a similar form to the Senate Labor and Human Resources Committee in a statement on the Medical Records Confidentiality Act of 1995 to the Senate Labor and Human Resources Committee, November 30, 1995.

We are deeply concerned that an Act that does not contain these protections will have an effect opposite to the one suggested by titles that claim to protect privacy or confidentiality. Congress should be alert to the danger of establishing procedures that permit and facilitate the transmission of information for which disclosure is now either prohibited or practically impossible.