December
20, 1999 U.S.
Department of Health and Human Services Assistant
Secretary for Planning and Evaluation Attention:
Privacy-P Room
G-322A, Hubert H. Humphrey Building 200
Independence Ave. SW Washington,
DC 20201 Re: Standards for Privacy of Individually
Identifiable Health Information, 45 CFR Parts 160-164, Rin: 0991-AB08 Dear
Assistant Secretary: The
Association of American Physicians and Surgeons, a national organization
representing approximately 5,000 physicians in all specialties, was founded in
1943 to preserve and promote private medicine. We submit the following comments
regarding proposed medical privacy regulations published in the Federal
Register November 3. Summary The
beginning Summary states: "The rules... propose standards with respect to
the rights that individuals who are the subject of this information should
have." The statute provides that the Secretary
shall define the rights of individuals
who are the subject of protected health information. This delegation of authority,
however, can only apply within the context of the statute, the purpose of which
is to "improve...the efficiency and effectiveness of the health care
system, by encouraging the development of a health information system through
the establishment of standards and requirements for the electronic transmission
of certain health information." The statute does not delegate to the
Secretary the authority to make radical changes in the very concept of
confidentiality, to abrogate the right of individuals to control access to
their health information, to dictate the scope of the Fourth Amendment to the
U.S. Constitution, or to seize control of all health information so that it may
be used for any purpose approved by the federal government and its agents. The Secretary's interpretation of the
statute is overbroad. Executive agencies do not have the authority to read into
the statute terms that are not there, and the reading of the statute must be
consistent with the U.S. Constitution. Need for Privacy Standards I.
Background. A. Need for privacy standards. The Secretary notes that one-sixth
of respondents have taken action to avoid misuse of their information, such as
withholding or providing inaccurate information. This scope of this problem, we believe, is
understated. A survey of our members (344 responses tabulated to date) shows
that 78% of physicians have withheld information from a patient's record due to
privacy concerns; 87% have had a patient request the withholding of
information. Third parties frequently request information that physicians
believe to violate patient confidentiality: 70% say that health plans have made
such requests, 51% say that government and 54% that employers have done so.
More than 96% of respondents believe that these regulations will further
compromise patient privacy. Statutory Background I.
B. Statutory background. State laws that are more stringent than federal
standards will not be preempted. This recognition of the Tenth Amendment
is an extremely important safeguard. Administrative Costs I.
C. Administrative costs. "Even if the rules proposed below were to impose
net costs, which we do not believe they do, they would still be 'consistent
with' the objective of reducing administrative costs for the health care system
as a whole." We believe that these regulations will
impose significant burdens upon the care of the sick and may even render
excellent, personalized care impossible in many cases, particularly if fear of
the draconian penalties restricts the clinically necessary transmission of
information in a timely fashion. The rules are consistent with the
objective only if "health care system" is very broadly defined to
encompass many operations that most Americans do not consider to be part of
medical care. It is doubtful that Americans would favor paying more for
hospital care or physician visits in order to reduce the cost of unconsented
research, federal monitoring of "providers," enforcement of
regulations that no one even understands, the operations of health care
monoliths already accused of many abuses, and the rationing of care. The
definition of "health care system" is overbroad; moreover it begs the
question of whether the Department of HHS or the federal government has the
constitutional authority to monitor every transaction in a field of endeavor,
especially a highly personalized one. In effect, these regulations impose a
heavy tax on the productive part of an enterprise (medical care) -- the part
that is actually sought by individuals and that serves (or is intended to
serve) their own interests -- in order to expedite the part that is invisible
to or sometimes highly objectionable to those seeking or providing care. In
other words, the sick and the injured, and those who care for them, bear the
costs; others reap the benefits of any savings. For determining whether the
regulations are consistent with the objective of reducing administrative costs,
the costs and savings of various parts of the industry need to be assessed
separately: e.g. direct patient care; third-party reimbursement; research; law
enforcement; oversight; etc. Summary and Purpose I.E.
Summary and purpose of the proposed rule.
The Secretary notes that there is no individual cause of action for
individuals whose privacy rights are violated. We concur that this is a notable
omission. We note the vast disparity between the enormous penalties imposed on
those who violate a rule -- whether or not any individual is actually harmed
thereby -- and the total lack of compensation to any individual who is
harmed. Deterrence may be the
rationale, but no evidence is available as to any efficacy for protecting
patients, nor to the existence of net benefits once costs – such as impediments
to the timely provision of care – are accounted for. I.E.
The secretary notes that "any provider who maintains a solely paper
information system would not be subject to these privacy standards, thus
leaving another gap in the system of protection we propose to create." This gap may be the patient's sole means
of protecting his information against broad access to his medical records by
government as well as vast private and quasi-governmental special interest
groups. The Secretary apparently recognizes the
existence of statutory restrictions: "Although we are concerned that
extending our regulatory coverage to all records might be inconsistent with the
intent of the provision in HIPAA, we believe that we do have the authority to
do so." It appears that once a piece of information has passed through any
type of computer (as through a paper-to-computer FAX), the Secretary considers
it to be within her jurisdiction, to use as well as "protect."
We believe that to be overreaching by the executive branch. I.
E. 1. Applicability, b. Protected health information. "Under our proposal,
most uses and disclosures would not require explicit authorization by the
individual, but would be restricted by the provisions of the rule. As discussed
in section II.C. of this preamble, we propose to substitute regulatory
protections for the pro forma authorization used today." Expanded use, rather than protection,
will be the actual effect of these regulations, whatever their true intent. The
protection is merely a promise: if the patient gives the government and its
authorized agents complete entry into his medical records, then the government
will keep the information as safe as, say, his tax records (but not as safe as
his record of video rentals). An unstated premise is that
"unalienable" rights do not exist, only rights that may be automatically
waived on the promise of regulatory protection, at least when the needs of
society can be invoked. The perception that electronic records
are an open book to those who want to use them for purposes unintended and
unforeseen by the subjects will hinder the development of electronic records,
impair the quality of medical care as subjects withhold needed information, and
destroy the trust in the patient-physician relationship. I.E.4,5.
Uses and disclosures with individual authorization and uses and disclosures for
treatment, payment and health care operations. It is notable that authorization will be
required for uses that an individual is likely to find to be in his own
interest: employment, disability benefits, litigation, or the development of
marketing strategies to meet his needs more effectively. Authorization is not
required precisely for those uses that are not in an individual's own
interest. The latter uses may actually be more objectionable to him than the
former. The Secretary has assumed the power to "balance" the
individual's privacy with "other social values," such as smooth
operation of the health care system and other "national priorities."
The whole set of elaborate regulations is quite reminiscent of the constitution
in totalitarian systems that guaranteed the same rights as U.S. Constitution,
and then voided them with the phrase, "except as provided by
law." (See the 13th bulleted
point: "Where other law requires such disclosure and no other category of
permissible disclosures would allow the disclosure.") I.E.8.
Administrative requirements and policy development and documentation. This provision requires every
"covered entity" such as a physician, under pain of federal prison,
to develop the functional equivalent of a scaled-down police bureaucracy for
its internal medical records procedures (even if complaints about physicians'
use of medical records are nonexistent to rare). On its face, it is
particularly absurd for a solo physician to be appointing a "privacy
official." At the same time, "noncovered
entities," which are much more likely to threaten patients' privacy, are
under no such obligation. In fact, it is the duty of the covered entity to
monitor the noncovered entity and "punish" unacceptable practices,
even though the only available punishment is to deprive the business partner of
future business. Generally, such
threats work well in the free market, but in an increasingly regulated market,
they are severely hampered by the lack of available alternatives. Applicability II.
Provisions. A. Applicability. 1. Covered entities. "Health care providers
who themselves do not directly conduct electronic transactions would become
subject to the provisions of the proposed rule if another entity, such as a
billing agent or hospital, transmits health information in electronic form in
connection with a standard transaction on their behalf." This provision imposes vicarious
liability on physicians, who would be held responsible for transactions over
which they have little if any control. They have no discretion about the
occurrence of such transactions unless they withdraw from hospital practice.
Physicians who fear that they cannot meet the federal requirements may try to
avoid billing agents who transmit electronically, thus impeding the very
activities the legislation is intended to facilitate. II.A.2.
Covered information. a. Legislative authority. "Health information is
considered relatively 'safe' today, not because it is secure, but because it is
difficult to access." Indeed, health information is relatively
safe today. Once it becomes easy to access, it will inevitably be much less
safe, as the drafters of HIPAA recognize. These regulations will not increase
safety but will compromise it further. The only real safety of electronic
information will be achieved if its original form of entry precludes
unauthorized access, and if access can be gained only with patient consent and
cooperation. II.A.2.a.
The Secretary apparently assumes that her authority is (or should be) plenary
unless explicitly limited: "In HIPAA, when Congress intended to limit
health information to its electronic form, it did so explicitly." Thus, the regulations are expanded to
non-electronic media where they "support the overall goal of enabling
electronic information interchange." There is no inherent restriction in this
caveat. Anything, even a physician's notes to himself, could be construed as
supporting this goal. The Secretary's interpretation of the statute is
overbroad: there is no constitutional authority to delegate such unrestricted
power to an administrative agency. II.A.2.a.
"We are concerned about imposing additional burden with respect to health
information that was less likely to present privacy concerns: paper records
that are never reduced to electronic form are less likely to become broadly
disseminated throughout the health care system." The Secretary invites comment on this
reasoning: we totally concur with this observation and applaud her prudent
restraint in this regard. Definitions II.
B. Definitions. 4. Health care clearinghouses. "We propose to exempt
clearinghouses from a number of the provisions of this rule...because in most
cases clearinghouses would not be dealing directly with individuals." We believe that clearinghouses, of all
entities, should be covered precisely because they do not deal with individuals
who might serve to constrain their actions. Capability of misusing data (where
such misuse certainly does have the power to harm the individuals who are the subject
of the information) should be the operative factor, not whether the entity
"deals with individuals." II.
B. 7. Health plans. p. Other plans: "[T]he provisions of this rule
generally would NOT apply to certain types of insurance entities, such as workers'
compensation and automobile insurance carriers, other property and casualty
insurers, and certain forms of limited benefits coverage, even when such
arrangements provide coverage for health care services." Moreover,
"nothing in this rule would be intended to prevent a health care provided
from disclosing protected information to a noncovered insurance entity for the
purpose of obtaining payment for services." Specifically, disclosure of
information for determining an individual's fitness for work would not "be
disturbed" by this rule. This provides an obvious and giant
loophole for entities intent on profiting from disclosure of information with
the potential to be extremely harmful to an individual, as by affecting
prospects of employment. This also appears to give carte blanche for disclosing
any information as long as an insurer requires it as a condition of payment. II.B.
20. "Law enforcement official" is defined to mean "an officer of
the United States or a political subdivision thereof, who is empowered by law
to conduct an investigation or political proceeding arising from a violation
of, or failure to comply with, any law...." This "new" definition is so
broad that it could apply to any county or municipality official, even one
without law enforcement training of the traditional type. Such an official
might be on a fishing expedition for failure to comply with any of millions of
pages of federal regulations totally unrelated to health care as generally
understood or to crimes that lead to recognizable harm to any individual. As
for investigating "health care fraud," HHS already has gained
enormous power for issuing administrative subpoenas, and there is no
justification for extending that power even further. Conveying expansive new powers
to every official engaged in some form of "new" law enforcement is
very far removed from the stated purpose of legislation to achieve
"administrative simplification" of health care records. There is no
explicit justification for it in the statute. II.B.
21. Payment. "We offer a new definition of payment." This is another "new"
definition that vastly expands the power of government and other third party
"payors," turning them into controllers as well. Ironically, Congress
is now debating, and the Administration is advocating, legislation that is
supposed to return medical decision making to physicians. "Protected"
[highly accessible] "private" information is to be at the disposal of
a wide array of agencies to review necessity and "appropriateness" of
care, i.e. to predetermine or second-guess decisions made by patients and their
chosen medical advisors. Included among entities authorized to
receive information for "payment," which includes all information,
are employers. HHS explicitly considered and rejected the ideas of placing
conditions upon such disclosures, lest conditions "disrupt some beneficial
activities" [all undefined terms]. In our view, disclosures to employers
should require patient authorization and be limited to information needed for
the "beneficial activity." In fact, there appears to be an
inconsistency in the rules, in that some disclosures to employers require
authorization, but others─those related to the new definition of
"payment"─do not. II.
B. 23. "Psychotherapy notes." We agree that psychotherapy notes should
be kept from scrutiny by anyone other than the psychotherapist. However, we
note that these constitute only a portion of the psychiatric record, and
numerous other portions, knowledge of which could be very detrimental to the
patient, must still be made accessible (such as medication records and the
summary of treatment, prognosis, and progress). We believe that any physician's record
may contain information that is just as private as psychotherapy notes. Any
physician who is not a mere technician deals with the whole patient, including
his mental and spiritual well-being. The Oath of Hippocrates states: "All
that may come to my knowledge in the exercise of my profession or outside of my
profession or in daily commerce with men, which ought not to be spread abroad,
I will keep secret and never reveal." This Oath may be taken by any
physician, not just psychiatrists. By implication, HHS intends to assume the
power to force physicians, under penalty of federal law, to violate a sacred
Oath by revealing information that should be kept inviolate. For a physician
whose religious beliefs require him to abide by his Oaths, this provision would
constitute a prohibition on the free exercise of religion. We strenuously
object to federal governmental rules that conflict with the requirements of
professional ethics. II.
B. 29 Workforce. The Secretary
recognizes that certain medical conditions or treatments that "individuals
may believe are particularly sensitive, or which could be the basis of stigma
or discrimination," and invites comments on whether such information
should receive additional protections and how it should be identified. We believe that the mere acknowledgement
that specially protected information exists can make a person the object of
stigma or discrimination. For example, if only psychotherapy, AIDS tests, and
drug abuse information are kept segregated, then the individual with segregated
information is already stigmatized. This is another reason why the default
option with regard to protected medical information should always be
NONdisclosure. Introduction to General
Rules II.C.
General rules. "Most uses and disclosures of an individual's protected
health information would not require explicit authorization by an
individual....We intend to strike a balance between the need to maintain the
confidentiality of protected health information and the economic cost of doing
so." We believe that the Secretary's idea of
substituting regulatory protection for the need for authorization is completely
unacceptable. Individual medical records should be private, and that means that
voluntary authorization must be given for all uses, with authorization limited
to the information required for the purpose. A patient may wish to make use of
comprehensive prepayment plans for all medical expenses. These may require
electronic records with extensive access to oversight personnel. We understand
that when patients deal with third parties, they generally must make certain
compromises. The patient is the one who should decide whether the financial
benefit is worth the tradeoff. Some may wish to pay directly for most medical
care and only use insurance for catastrophic expenses. They should be allowed
to benefit from enhanced privacy protection. The Secretary, however, apparently wishes
to make information disclosure for a wide variety of purposes a condition of obtaining medical care,
all the while denying such an objective. She is thwarted in full achievement of
the objective only because Congress has not yet authorized her to regulate
(control) records that never pass through a computer. Thus, a patient can
obtain truly private care -- without providing information that can be used for
an FBI dossier -- only by forgoing any benefits of electronic information
processing, as well as the option of third-party reimbursement. Treatment, Payment, and
Health Care Operations II.C.1.b.
Health care operations (§164.506(a)). The Secretary's definition of
"health care operations" is so broad that she finds it more helpful
to list things that are NOT "health care operations." This is the
narrow range of activities for which "protected" health information
may not be used without explicit authorization. These include marketing,
insurance underwriting [is this unrelated to the payment function?], and
employment determinations. The definition of "health care
operations" is far too broad. There should be a short list of activities
for which information may be released (such as emergency treatment, situations
constituting a clear and present danger to self or others, or evidence of a
crime involving direct injury to person or property). Again, we believe that
the default option should be NONdisclosure. Introduction to Uses and
Disclosures Without Individual Authorization II.E.
Uses and disclosures without individual authorization (§164.510). "We
believe such safeguards strike the right balance between encouraging national
priority oversight activities and protecting individuals' privacy." In effect, the Secretary is asserting the
authority to circumscribe individual privacy to the narrowest possible realm,
which is contrary to the stated purpose of both the statute and the
regulations. Neither the statute nor the U.S. Constitution gives the Executive
Branch the authority to define national priorities that override fundamental
individual rights, or to monitor all medical care. Note
that in the Appendix to the Preamble, Provider Notice of Information Practices
(as of 1/1/99), Subpart A, §164.504 Definitions, a "health oversight
agency," which may use and disclose "protected health
information" without authorization, includes any person, agency, or
entity that performs (2) "other activity necessary for appropriate
oversight of the health care system," of government benefit programs, for
which health information is relevant to beneficiary eligibility, or of
government regulatory programs for which health information is necessary for
compliance with program standards." In effect, this provision essentially
gives the government unlimited access to patient medical records on a routine
basis. Public Health II.E.1.b.
"Public health activities" is given the sweeping definition of
"the prevention or control of disease, injury, or disability."
(§164.510(b)) This provision gives the government the
pretext to invade the bedroom, as well as every other area of the home or
workplace or clinic, to ascertain whether a citizen is smoking, taking a
vitamin supplement, watching a seditious video, or possibly experiencing a
forbidden sentiment, as long as a government agent can invent some remote
chance that disease or injury will occur somewhere in the population sometime
as a direct or indirect result. This concept is constitutionally abhorrent.
There is no justification for such sweeping authority in the statute, which
simply states that "Nothing in this part shall be construed to invalidate or limit the authority,
power, or procedures established under any law providing for the reporting of
disease or injury, child abuse, birth, or death, public health surveillance, or
public health investigation or intervention." A rule of the executive
branch cannot be lawfully used to change the very definition of terms in
previous laws. Health Oversight II.E.2.a.
"Importance of oversight and need for protected health information"
(§164.510(c)). Oversight activities, the Secretary states, are needed to
"ensure compliance with statutes, regulations, and other administrative
requirements applicable to public programs and to health care delivery." The glaring omission from these
regulations is any means of assuring accountability in the government agents
and private partners engaged in compliance monitoring. Although these rules
grant agents in all branches of government access to the most intimate patient
information in the interest of enforcing hundreds of thousands of pages of
rules, there are no rules applicable to these agents, much less any means of
enforcement. This violates the basic precept that all citizens are equal under
the law in that it creates a federally privileged class. The privileged class
may access patient information without patient consent, whereas "covered
entities" are subject to criminal penalties for comparable actions. Judicial and
Administrative Proceedings II.E.3.b.
Proposed requirements: disclosure of protected health information in judicial
or administrative proceedings. The Secretary acknowledges that there are
already means for obtaining and using such information through process of law.
No need or constitutional authorization is cited for expanding such use. Law Enforcement II.E.5.i.
(§164.510(f)). "If a misperception were to develop that law enforcement had
instant and pervasive access to medical records, the goals of this proposed
regulation could be undermined." We agree. Nonetheless, whatever the
perception, the reality of these regulations is that "law
enforcement," including agencies not concerned with protecting citizens
against the dangers that concern them (e.g. violent crime), does acquire vastly
expanded access. Government Health Data
Systems II.E.6
(§164.510(g)). Government health data systems: "The data are an important
resource that can be used for multiple policy evaluations." It appears that citizens could be
nonconsenting research subjects in a wide variety of public policy experiments,
to be defined later. At the same time (see section b), federal burdens and
controls will be expanded to non-federally funded research, further
consolidating the federal monopoly on research. In other words, the citizen
will have to participate in federally authorized projects without consent, but
will be denied the right to consent to other projects, unless these meet
federal requirements (which could be designed to make it nearly impossible for
small entities to engage in research). Research II.E.9g
(§164.510(j)). "If a covered entity chooses to obtain individual
authorization for use and disclosure of information for research, the
requirements applicable to individual authorizations for release of protected
health information would apply. These protections are described in
§164.508." Requirements for both federally and
privately funded research, if done by "covered entities," related to
actual treatment, and performed with patient consent, will become more onerous
and will impede new discoveries. Patients should be allowed to waive burdensome
bureaucratic requirements if they choose in order to facilitate longitudinal
studies. For example, the requirement to notify patients each time a record is
disclosed may make it impossible to use large amounts of data because of
expense and logistical difficulty in a mobile population. It is paradoxical that research that
patients have personally authorized will be far more heavily burdened than
research that is being carried on without their consent or knowledge, and which
is far less likely to bring personal benefit to the subjects. Introduction to the
Rights of Individuals: Notice of Information Practices II.F.1.c.ii.
The rights of individuals. Rights and Procedures for written notice. Content of
the notice. Required Statements: "We propose that the notice inform
individuals that they have the right to complain to the covered entity and to
the Secretary if they believe that their privacy rights have been
violated" (§164.518(a)(2)). In essence, the right to complain is the
only right that the Secretary recognizes for individuals. Providers are
required to give them substantial standardized information about how their
records may be used, but the only value of this paperwork may be to notify the
patients that no information is really private, once it is disclosed to a
health care provider. The result will be exactly as the Secretary describes in
the absence of protections that the patient considers meaningful: the
withholding of information, to the detriment of medical care. Notice of Information
Practices (§164.512) II.F.1.e.
Plain language requirement. The Secretary proposes requiring covered entities
to make a "reasonable effort" to use plain language in the notices
they develop. This includes the use of "common, everyday words in
sentences." The Secretary could expedite compliance
with the proposed rule by providing an example in her communications with
covered entities. In fact, the use of "common,
everyday" words might not be especially informative if the definition is
complex or is changed at will to meet the government's needs. The Secretary
requires several pages to define "State law," "provision of
State law," "privacy law," "contrary to," and
"more stringent." Access for Inspection
and Copying II.F.2.d.i.
Time limits (§164.514(d)(2)). The Secretary proposes that plans and providers
be required to respond within 30 days to a request for inspection and copying.
The Privacy Act and Freedom of Information Act are used as a basis for
determining what is "reasonable." For
obtaining information that may be crucial for diagnosis and treatment, a delay
of 30 days is far too long. The time required for government agencies to search
their files to respond to a FOIA request is a totally inappropriate standard of
comparison. Today, when the need is urgent, most health care providers should
be able to respond almost immediately, unless the records in question have been
inactive for many years. This long time lag could be used as a means for health
plans to maintain control over patients' access to services. Compliance
II.
J. 1. c. Compliance and enforcement.
The proposed §164.533(d)(2) "would affirmatively establish their
obligation to provide information to the Secretary upon demand." Criminal penalties are applicable to lack
of affirmative compliance; thus, this appears to us to violate the Fifth
Amendment protections against forced self incrimination. Small Business Assistance
III.
Small business assistance. "The length, and at times complexity, of the
preamble discussion may impress small businesses as creating overly burdensome
and costly requirements." Nevertheless, the Secretary opines that the rule
will be easily administrable. If there is ease of administration, this
is accomplished through the abolition of the requirement for informed consent
for release of information for purposes of treatment and payment. However, the
mechanisms for obtaining consent are already in place, so it is hard to impute
cost savings to offset the cost of the new administrative machinery. If the
entity ever discloses health information for other purposes, the entire apparatus
needs to be created regardless of how often it is used. Regulatory Impact
IV.
Preliminary regulatory impact analysis. The Secretary estimates a cost of $1
billion in the first year of implementation. This estimate disregards
"administrative simplification" costs as well as a large number of
other costs (implementation of the "minimum necessary disclosure"
principle; creating de-identified information; the creation of a privacy board;
etc.) It is fair to say that the cost of the
regulation is unknown but much
higher than $1 billion. The cost of $0.46 per health care encounter "to
improve health information privacy" may sound reasonable. However, the
true standard of reasonableness is whether a person would voluntarily pay it,
and this cost will be involuntary. Moreover, the cost should probably be
multiplied many times for small "providers," as the cost of
regulation is always disproportionately high for small entities (and often
prohibitive). Moreover, the "improvement" in "privacy" is
an abstraction at best, and a chimera or fraud at worst. In fact, the
regulation may resemble the FAA regulation requiring each passenger to be asked
the "security questions." This costs billions of dollars,
accomplishes nothing, and distracts personnel who might otherwise be watching
for security breaches (like people sneaking onto airplanes). The FAA
regulation, however, does not directly impair security, whereas these privacy
rules effectively abolish privacy with respect to government and its private
partners. IV.
A. In justifying the cost, the Secretary states that "the mental health of
our citizenry, no less than its physical health, is a public good of transcendent importance." This is a false and very dangerous
premise. In fact, preservation of limited constitutional government, with
protection of unalienable individual
rights, is of transcendent importance. Many have sacrificed health or life
itself to this end. To use health as a pretext to impair rights will ultimately
destroy our health as well. IV.C.
Need for the proposed action. The Secretary makes reference to the importance
of the Fourth Amendment, with emphasis on the fact that the right is not absolute. The key, once again, is the definition
of terms, in this case, "unreasonable." Anything that theoretically furthers the
pursuit of a transcendent value such as health is presumably
"reasonable." Having an administrative agency determining the limits
of an unalienable right is very dangerous. There is no statutory basis for the
Secretary to be limiting the application of the Fourth Amendment, even if such
a provision were constitutional. IV.
G. Examination of alternative approaches. 3. "We also intend to prohibit
covered entities from seeking individual authorization for uses and disclosures
for treatment, payment and health care operations unless required by State or
other applicable law....[S]uch authorizations could not provide meaningful
privacy protections or individual control and could in fact cultivate in
individuals erroneous understandings of their rights and protections." This is an extremely interesting
provision, of the type that prohibits anything that is not required. Apparently, asking for consent implies that
the individual has the right to refuse consent, which would imply that the entity
may not disseminate the information without consent, and that this whole
proposed regulation violates the individual's rights─ as we believe it
does. IV.
G. 5. Right to restrict uses and disclosures.
"We propose to permit in §164.506(c) that individuals be able to
request that a covered entity restrict further uses and disclosures of covered
health information...." Note that the entity is not obligated to
grant the request, if it "do[es] not wish to do so." Nor may it grant
the request if release of information is mandated by law. We agree that the right to make a request
should not be limited to self-paying patients. This "right" is, however, meaningless if the government has
effectively made it impossible for a health care provider to grant the request.
Conclusions
Conclusions:
We recommend that this rule be withdrawn and rewritten entirely to conform to
statutory and constitutional limitations. In the event that it is implemented,
we believe the only privacy protection available to individuals is to eschew
third-party payment or treatment that involves an electronic record. We believe that the individual owns the
information pertaining to himself or herself in the medical record and should
be in control of its dissemination. The individual should be permitted to
authorize uses that might not be permitted in the rule (such as research), and
should not be forced, in effect, to have information released for purposes he
or she does not approve as a condition of obtaining medical treatment. The use of
the individual's information should be determined by private contractual
arrangements, as with insurers. The purpose of these regulations should be to
establish standards for the electronic
transmission of health information to protect against use and disclosure
not authorized by the patient. The standards should not impose costs upon the
ordinary provision of medical care, nor should they subvert the Fourth
Amendment, nor should they serve as a backdoor for implementing a unique
national health identifier (which most Americans strenuously oppose). Respectfully
submitted, Jane
M. Orient, M.D., Executive Director |