June 15, 1999
Observations concerning the Health Care Personal Information Nondisclosure Act of 1999" or the "Health Care PIN Act", S. 578, introduced by Senator Jeffords (R-VT):
Sec. 2. Findings
The Act states: "An individual's confidentiality right means that an individual's consent is needed to disclose his or her protected health information, except in rare and limited circumstances required by the public interest."
Contradicting the implied promise in the above "finding," the Act defines a lengthy and broad array of circumstances defined as the public interest, including research, oversight, credentialing, quality assurance, utilization review, underwriting, auditing, and "such other services as the Secretary determines appropriate." In other words, any purpose for which a governmental or quasi-governmental agency, or private contractor of such agency, might want data would be expedited by this Act.
Access by these empowered entities would be with the patient's "consent": but the consent is coerced as a condition for obtaining any medical insurance or any medical treatment, even for which the patient pays out of pocket. Section 202 concerns "Procurement of Authorizations for Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations." It imposes requirements on employers, health plans, "an originating provider providing health care to an uninsured individual," and "providers": (6) "Every health care provider providing health care to an individual who has not given an authorization under paragraph (3), (4), or (5), shall, at the time of providing such care, obtain a signed, written authorization concerning the use and disclosure of protected health information for treatment, payment, and health care operations with respect to such an individual" [emphasis added].
It has been noted that the Jeffords bill was the only bill that permits an “exception” for self-paying patients. However, the exception allows only that the authorization may be revoked prior to a single or series of encounters with a provider. The individual then has an affirmative duty to notify providers of the revocation:
One effect of the Jeffords (and other bills supposedly protecting privacy) is to greatly expand the powers of law enforcement agencies to access medical records. Law enforcers would be allowed to obtain personal medical records to inquire into “a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute” [emphasis added].
Medical records might have evidence of a variety of different violations: drug use, activities that might be construed as "abuse" or "neglect"; failure to obtained mandated services such as immunizations. The act does restrict use of protected health information in an action or investigation against an individual - unless the action or investigation arises from and is directly related to the receipt or payment for health care, an action involving a fraudulent claim (expansively defined these days), or an action involving "oversight of a public health authority or health researcher." The meaning of the last is especially unclear. Moreover, the liability for law enforcement officers is limited in Sec. 215.
Sec 312. Civil Penalties
The procedure for involving civil penalties is an administrative one that denies the accused many rights that are guaranteed by the Constitution even to those accused of capital crimes, such as the right to a jury trial, even though the fines may be very large (up to $100,000). The only rights are to representation by counsel, to present witnesses, and to cross-examine witnesses. An impartial tribunal is not among these.
Sec. 401. Relationship to Other Law
Though the Jeffords Act, unlike certain others, does not preempt those State laws that are more protective of privacy, this only applies to laws already in effect. See paragraph (a) (2): "Except as provided in subsections (b) and (c), the provisions of this Act shall preempt any State law relating to the privacy of protected health information if such law is enacted after the effective date of this Act."
The only privacy right that is probably preserved is that of a minor to obtain an abortion. See Section (c)(4): "Nothing in this title shall be construed to preempt, supersede, or modify the operation of any State law that--...governs a minor's right to access protected health information or health care services." Courts have consistently limited the "penumbras" of the Constitution protecting privacy to areas such as abortion and other "reproductive [contraceptive] rights."
It is curious that the Act exempts the Department of Defense from disclosure requirements, and that it also limits the right of civilian employees of DoD to revoke authorization.
AAPS sees no benefit in this Act, and flaws so deep that they cannot be corrected with a few cosmetic amendments. We recommend opposition to the bill. The only conceivable reason to support it is the fear that the regulations promulgated by the Secretary of Health and Human Services would probably be worse. But there is nor reason why Congress cannot repeal this ill-conceived delegation of power and deadline from the Kennedy-Kassebaum Act.
An Act that truly protects the confidentiality of medical records would provide, at a minimum:
(1) No personal medical records shall be placed into an electronic data base without the fully voluntary and fully informed consent of the individual.
(2) No federal law shall preempt State laws that are more protective of patient confidentiality or of a patient's access to his own records.
(3) Access to medical consultation or treatment shall not be denied on the basis of refusal to authorize computerized data entry or the use of data for research, "health oversight," "health operations," public health surveillance, expansive law enforcement (without the traditional Fourth Amendment requirements applied to other searches and seizures), of or other uses not voluntarily approved by the subject of the records. Providers may require self-payment for such services.
(4) Insurers or health plans shall not be forbidden by law to offer products that require less intrusive data authorization as a condition of purchase.
(5) Physicians have the right to inform patients of their right to withhold authorization for data access. Insurers or health plans or accrediting agencies or other agencies shall not deselect, decertify, decredential, fine, or otherwise sanction physicians for so informing their patients or for respecting the patients' right to self-pay for confidential medical service.
(6) The right to withhold authorization for submission of medical data for any purpose other than the processing of a claim for payment, shall not be forfeited because of age, enrollment in, or eligibility for any plan or program for paying for health or medical services, nor shall any person be obligated to submit a claim for payment.