submitted by the
for public hearings on
HIPAA MEDICAL PRIVACY REGULATIONS
submitted to the
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
AUGUST 22, 2001
The Association of American Physicians and Surgeons, (AAPS), is a professional association of physicians in all practices and specialties, dedicated since 1943 to preserving the sanctity of the patient-physician relationship from third-party intrusion. AAPS, whose physicians number millions of patient visits every year, is the largest organization of its kind that is entirely member funded. The AAPS receives no government grants, nor has any contractual relationships with any government agencies or entities.
The AAPS was among the 52,000 who submitted comments on the draft regulations, and the tens of thousands who subsequently filed comments this year during the extended comment period. (We incorporate into this record our two written statements dated March 26, 2001, signed by Jane M. Orient, M.D., as Executive Director, and Andrew Schlafly, Esq., as General Counsel.)
In both those statements, AAPS outlined both general and specific objections to the privacy regulations, and urged repeal of the regulations.
To summarize our opposition, AAPS objects to the way the rule gives greater rights of access to the government than to the patient himself and imposes an onerous regulatory burden in violation of the Paperwork Reduction Act and Regulatory Flexibility Act. Further, AAPS believes the Regulations violate the First, Fourth and Tenth amendments.
The rules may create a massive federal mandate that requires every doctor to share patients’ records with the federal government without patient consent. Even more alarming is that patients may be refused medical treatment if they won’t consent to disclosure.
Physician Opposition & the Chilling Effect on Patient Communication A mailed survey of 344 physicians conducted by the Association of American Physicians and Surgeons (AAPS) shows almost unanimous opposition to the Privacy rules. An overwhelming 96% thought the rules would further compromise patient privacy.
Some of the other questions provide further clues about the practical effects of the rules. Physicians already believe that third-parties ask for information that they believe to violate confidentiality, with 51% reporting such requests from government agencies and 70% from health plans.
Nearly 87% reported that a patient had asked that information be kept out of the record, and nearly 78% of physicians said that they had indeed withheld information from a patient's record due to privacy concerns. While only 19% admit to lying to protect a patient's privacy, 74% state that they have withheld information for that reason.
Patients are withholding information, and doctors are lying because of privacy concerns. The obvious conclusion is that these rules will only exacerbate the situation to the point of distorted, incomplete and potentially dangerous medical records becoming the norm. Physicians’ ethics will be further challenged, the choice between government compliance and lying for a patient.
Problems With Implementation & Enforcement of Minimum Necessary Standard
The AAPS objects to the standard in general in that it is based on the assumption that there is a compelling need for an individual’s medical information, and therefore the public health usurps the individual’s rights.
Further, AAPS believes that the minimum necessary standard is undefined, and therefore unenforceable. The standard recalls the Mad Hatter’s pronouncement of it means what he says it means. The requesting covered entity can define in any way it sees fit based on the sayso of its designated “professional,” who can be whoever the covered entity chooses. Further, the Office of Civil Rights has no authority to override the requestor.
Physicians will be forced into a game of regulatory roulette, guessing what standard to follow without a final authority or even advisory opinions, while being subject to criminal penalties if they guess wrong.
RESPONSES TO THE SUBCOMMITTEE’S WRITTEN QUESTIONS
Given our objections to the Regulations in general, and the minimum necessary standard in particular, we have made a good faith effort to respond to the Subcommittee’s written questions as follows:
1. What are the anticipated benefits of the minimum necessary standard?
The purported benefit is to prevent widespread dissemination of sensitive information that could harm the patient without providing the patient with any advantage. There is no evidence that this benefit is other than hypothetical. The release of "unnecessary" information is no more likely to harm a patient than is the release of the “minimum necessary” information.
For example, say that a coverage decision required information about a patient's gynecologic history. This might reveal that the patient had had an abortion. Release of this information might harm the patient, or the patient might perceive a risk of harm. On the other hand, the patient's race probably has no bearing on the coverage decision (in fact use of such information might be proscribed by civil rights laws) and is thus not part of the "minimum necessary" data set. There is probably neither real nor perceived harm in conveying this data bit, however; for one thing, it is, with high probability, widely known already.
The “minimum necessary” information might be just as prejudicial, perhaps more so if out of context, than the total chart, and is thus of no help in allaying patients’ concerns. For example, the presence of a diagnostic code for anxiety or depression could be prejudicial, whereas an understanding of the likely nonrecurring circumstances and the response to treatment would show the patient’s generally excellent mental status.
The agencies with the greatest power to do actual harm also have the power to define “minimum necessary” for their purposes. This includes governmental agencies, which might use the information to “plan” (effectively ration) care by allocating it to those who meet criteria for societal worthiness.
One factor that greatly diminishes any prospective benefit is that the definition of "minimum necessary" is determined by the recipient of the information, who may have a vested interest in obtaining as much information as possible. “A covered entity may reasonably rely on the assertion of a requesting covered entity that it is requesting the minimum protected health information necessary for the stated purpose”-or on the representation of a public official (p. 82545).
It is important to emphasize that the "stated purpose" is the purpose of the requesting entity, which may have nothing to do with the patient's needs. It may in fact be contrary the patient's best interest. That is a fundamental flaw in this standard: it may appear to be protecting the patient, but in fact both definition and implementation are wholly in the hands of others. Moreover, those who have an ethical duty to protect the patient's interest (physicians) have a subservient role: their legal obligation is to determine whether they are complying with the request, not whether they may be harming the patient. In fact, the whole thrust of the regulation concerns control of information. And the control will not be in the hands of the subjects of the information--quite the contrary. Patients will have two choices: submit, or forgo medical care.
Patients who fear disclosure of all their sensitive information to government agencies (say because government computer systems have such a poor security record) have no choice but to withhold the information from their physicians. The “minimum necessary” standard does not apply to disclosures required by law. “Nothing in this rule permits covered entities to avoid disclosures required by other laws" (p. 82600). Indeed, physicians who withhold information could be charged with the federal crime of obstructing an investigation under the HIPAA statute.
The worst feature of the minimum necessary standard is that law enforcement is exempt. Any of a large number and variety of agencies that fit under a very broad definition of law enforcement virtually have carte blanche for fishing expeditions, looking for potential violations of any law. “We do not intend for lawful disclosures of protected health information for law enforcement purposes to be limited to those in which a law enforcement official knows that a law has been violated....” (p. 82613). This is a clear violation of the Fourth Amendment to the U.S. Constitution.
2. What are the costs of applying the minimum necessary standard?
It is impossible to calculate the cost of applying a standard that is so vague and ambiguous. Nevertheless, it is possible to say that the cost of supplying information would easily double or treble, at a minimum. Instead of having a clerk copy the entire chart within the dates specified, a practice would have to have a person with a higher level of training and discretion read the record to determine what should be sent and what withheld in each instance. This increased cost applies even when the transfer is “routine,” and thus can be covered by a standard protocol, as the person needs to be able to identify the type of information to be included. It might even be necessary to reorganize all the medical records to segregate information by type. Then there is the cost of training and supervising personnel involved in information transfer. For “nonroutine” or nonrecurring transfers, a “professional” may be needed to determine which items meet the criteria for inclusion. And of course a discerning person is needed to distinguish the routine from the nonroutine.
The need to make a judgment about the “minimum necessary” does not just apply to occasions when a disclosure is made. It is also required for use of information, which occurs constantly. If an office is totally electronic, data fields could be made accessible only to those with an appropriate password. But what about offices that use paper records and keep the insurance claim forms in the charts, so that entries may be made until the form is filled up and filed? Does an office have to redo every medical record (and turn it into several different types of record) so that the receptionist doesn't have to open a chart (and potentially read something in it) while looking for a telephone number or an item on an insurance form? The regulations do not address such questions at a practical level. The cost is highly dependent on the existing office procedures, and would be most devastating for the smallest, least affluent practices.
What level of personnel may make the required assessments? The regulations provide that a covered entity may “reasonably rely on the assertions of a `professional' (such as lawyers and accountants) who is a member of its workforce or its business associates” in making the determination (p. 82545). But is a small practice required to hire a “professional” (and would a nurse do?) to handle this task? Covered entities must make “reasonable” efforts and the required effort is “scalable.” The regulations list eight factors relevant to defining “reasonableness” (p. 82544). The only one that is actually quantifiable is cost, and it is not quantified: no upper limit is placed on the absolute number of dollars or hours or the proportion of revenue or staff time that must be devoted to this purpose in order to meet the standard.
Small entities which do not already have a large administrative staff and legal department capable of absorbing a big extra workload could face disastrous costs. Yet reliance on the assertion that the requirements are “flexible” is very dangerous given the criminal penalties ($50,000 fines and/or a year's imprisonment) for violations of the rules. Even the civil penalties (up to $25,000 per person per year for violation of a single standard, p. 82470) could shut down a small practice.
3. Where should the line be drawn in determining what is “reasonably necessary”?
The line for determining “reasonably necessary” is very fuzzy in the regulations, as noted above. One method is to apply the standard only to electronic records, as the statute explicitly intended. Here, information is already segregated into data fields, so that selected portions of records can be reliably disclosed or withheld. (This is a very gross standard as the content of a particular data field varies greatly both in relevance to the stated purpose and sensitivity, from one patient or episode of care to another.)
Another would be to set a high threshold of gross practice revenue, say $10 million or more per year, thus excluding entities too small to afford an in-house legal staff.
4. How can the concept of minimum necessary be explained with greater clarity to those who will be affected? Give specific examples.
The concept of “minimum necessary” could only be explained by someone who understands it in all of its myriad ramifications. There is no such person. The concept will differ depending on the person’s viewpoint: patient, physician, regulator, criminal investigator, or public health official may all see the same information in a different light. Consider the OASIS data (Outcome Assessment and Information Set) demanded by HHS of home health agencies. Twelve pages of fine print contained no fewer than 53 items related to toileting or elimination performance, and extensive information regarding social circumstances, choice of language, attitude, race, financial status, and range of activities. For criminal investigators, there is no limit to what is the minimum necessary to search for any potential violation. Others would have difficulty seeing the relevance of the demanded information to a reasonable purpose.
Patients should understand that “minimum necessary” bears little relationship to the potential harm from disclosure. From a practical standpoint, information is much more likely to be segregated by type than by sensitivity (with certain exceptions such as psychotherapy notes). Not all items of a certain type, such as laboratory tests, have the same implications. The very fact that a laboratory test (such as a drug screen) was done may be prejudicial even though the test was negative and was required because of a job requirement not because of suspected drug abuse. The requester of the information may actually have no need to know about it, even though a categorical request for lab tests was made.
The term is undefined in the regulation and undefinable in reality: A term that can signify so many different things to so many different entities is unintelligible in principle.
5. Does applying the minimum necessary standard internally in an institution make sense?
The application of a “minimum necessary” standard within an institution makes no sense whatsoever because of its infinite variability in possible meaning. An institution might well want to restrict records access (as by password) to the type of information pertinent to the employee’s job, or to the individual employee depending on experience and level of trust, not just job description. Employees in the accounting department can see financial records but not progress notes or lab reports; the laboratory technician could see just the information necessary to prepare the report; the nurse could see the clinical record except possibly for segregated notes; and so forth. While this might be defined as a “minimum necessary,” it is not the only possible construction of that term. It would be better to say that within an institution, employees have access to that information they might need for the optimal performance of their duties, as determined by the institution. In other words, the operative definitions should be based on overall type of information and job description, not on subjective judgment concerning each and every piece of information. At any given time, only a few bits may be necessary (such as the outstanding balance, not each and every charge made for the past 5 years), but there is no practical way of determining a priori which bits might be the significant ones.
Moreover, policy should be determined by the needs of the institution for optimum performance of its services, not in compliance with an inflexible one-size-fits-all standard imposed from outside.
CONCLUSIONS AND RECOMMENDATIONS
The concept of the “minimum necessary” is on the whole unintelligible and unenforceable in any consistent manner. In many areas, the writers appear to have punted: unable to define terms themselves, they delegate the definition to (still undefined) “professionals” in many different entities with many different agendas.
The phrase “minimum necessary” appears on at least 33 pages scattered throughout eight separate computer documents (the regulations being so long that it is inconvenient or impossible to download them all at once). A good start would be for the agency to make a comprehensive list of circumstances in which “minimum necessary” applies, and those in which it doesn't, with the precise circumstance described in words rather than by reference to a paragraph in the U.S. Code. This would also help to identify inconsistencies as in the proposed rule, under which information provided to workers' compensation carriers for treatment, payment, or health care operations was subject to the minimum necessary standard, but to the extent that the information had to be provided by law, it was NOT subject to the minimum necessary standard (see page 82542).
In cases in which certain information is needed for a narrow purpose, as opposed to diagnosis and treatment, a preferable mechanism is to have the physician or his assistant complete a form or dictate a letter responsive to specific questions. In this way, there is less ambiguity about what is needed or desired, and the patient can see exactly what needs to be released for a certain purpose, such as insurance coverage. This is by no means unprecedented. In the past, it was quite common for insurers to send a brief form requesting dates of treatment, diagnosis, relationship if any to injury at work, prescription given or procedure performed, generally within a specified period of time. Or the patient or government agency might request an assessment tailored to a claim for compensation or disability.
In other words, record requests should either be for a copy of the record within certain parameters (by dates, or general type of information such as lab reports, progress notes, and so forth) or for a specified set of information to be abstracted from the record. This is a more workable standard. It could actually be submitted for an outside, impartial judgment as to the legality and appropriateness of the request. It requires no omniscient person fully cognizant of the content of the record, the needs of the requestor, and the mindset of the enforcer.
Further, we recommend that the Office of Civil Rights issue advisory opinions and make available model forms that are suitable for various purposes.
For purposes of law enforcement, the Fourth Amendment should apply. Medical records should be at least as well protected as the papers in one's home. They should be available only with a warrant obtained from an impartial tribunal upon showing probable cause that an actual crime has been committed and that the medical record is likely to provide relevant evidence. The warrant must specifically describe the items to be seized.
While our Association strongly supports the patient's right to privacy, it is opposed to these regulations because their effects will mostly be destructive of the very principle they purport to secure.
Supplement to Testimony - 8/27/2001
AAPS would like to supplement its testimony by commenting on the consent provisions, specifically to state that we are not part of a perceived consensus.
We believe that the regulations actually coerce "consent" to disclose sensitive information for a very wide variety of purposes that might actually be inimical to the patients' interests, while imposing unprecedented and burdensome requirements on the appropriate use of lawfully obtained information.
The event triggering a need to obtain consent has always been disclosure of information. Consent to use the information is logically implied by the consent to disclose. The AMA acknowledges that consent to use is not practical or even possible in some circumstances. However, it is burdensome in all circumstances, and will inevitably have an adverse impact on the efficiency and quality of medical services, which depend on rapid information flow, while increasing costs. Physicians face the risk of punishment for the "crime" of transgressing some vague or as-yet-to-be-determined standard in the course of doing their best to provide optimal care. Optimal care always requires the best information. To exempt physicians who have no direct interaction with patients from this bizarre requirement, while applying it to those physicians who do interact with patients, highlights its absurdity.
To the best of our knowledge, the AMA is the only organization favoring the consent-to-use requirement. If it is not deleted in its entirety, it should be applied to narrowly defined circumstances. Its application should be by explicit definition rather than by lack of an exemption. The definition of the circumstances under which the requirement is triggered should include a rationale explaining why consent to disclose is not adequate.
Patient autonomy implies that patients do have the right and the discretion to permit both disclosure and use of their information, as for research, without constantly being asked to sign more forms. Physicians should be able to rely on that consent without having to constantly check whether it has been revoked.
It is the disclosure of information, particularly to a networked computer, that is both necessary and sufficient for abuse to occur. A consent-to-use requirement is a paper barrier of no proven efficacy. Over-reliance on this mechanism-and the waste of resources in implementing it-could well deter or even prevent the development of effective technologic measures whereby patients truly could assume control over access to their information-for example, by supplying or withholding encryption keys.
These regulations result in the paradox that patients are forced to consent to very broad governmental access to data that could be used against them, as a condition of obtaining medical care, yet restricted in their ability to entrust information to physicians or researchers.
Previously, concern was focused on unauthorized use of information in ways resulting in harm to patients. Now, the ground has shifted to governmentally imposed and supervised control of information transmission. Very severe sanctions can be imposed, but for violations of process, without regard to harm to patients or lack thereof.
These regulations are a radical departure from traditional medical ethics as well as normal business procedures. They are flawed in principle; they cannot be fixed by tweaking with more "guidance" or additional exemptions. They will cause severe damage to medical institutions with an overall negative impact on confidentiality. The only reasonable action is to withdraw them.