Action Alert - Comments Due on [End-of] Privacy Regs!

1601 N. Tucson Blvd. Suite 9
Tucson, AZ 85716-3450
Phone: (800) 635-1196
Hotline: (800) 419-4777
Association of American Physicians and Surgeons, Inc.
A Voice for Private Physicians Since 1943
Omnia pro aegroto


December 20, 1999



U.S. Department of Health and Human Services

Assistant Secretary for Planning and Evaluation

Attention: Privacy-P

Room G-322A, Hubert H. Humphrey Building

200 Independence Ave. SW

Washington, DC 20201


Re: Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160-164, Rin: 0991-AB08


Dear Assistant Secretary:


The Association of American Physicians and Surgeons, a national organization representing approximately 5,000 physicians in all specialties, was founded in 1943 to preserve and promote private medicine. We submit the following comments regarding proposed medical privacy regulations published in the Federal Register November 3.




The beginning Summary states: "The rules... propose standards with respect to the rights that individuals who are the subject of this information should have."


The statute provides that the Secretary shall define the rights of individuals who are the subject of protected health information. This delegation of authority, however, can only apply within the context of the statute, the purpose of which is to "improve...the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information."


The statute does not delegate to the Secretary the authority to make radical changes in the very concept of confidentiality, to abrogate the right of individuals to control access to their health information, to dictate the scope of the Fourth Amendment to the U.S. Constitution, or to seize control of all health information so that it may be used for any purpose approved by the federal government and its agents.

The Secretary's interpretation of the statute is overbroad. Executive agencies do not have the authority to read into the statute terms that are not there, and the reading of the statute must be consistent with the U.S. Constitution.


Need for Privacy Standards


I. Background. A. Need for privacy standards. The Secretary notes that one-sixth of respondents have taken action to avoid misuse of their information, such as withholding or providing inaccurate information.


This scope of this problem, we believe, is understated. A survey of our members (344 responses tabulated to date) shows that 78% of physicians have withheld information from a patient's record due to privacy concerns; 87% have had a patient request the withholding of information. Third parties frequently request information that physicians believe to violate patient confidentiality: 70% say that health plans have made such requests, 51% say that government and 54% that employers have done so. More than 96% of respondents believe that these regulations will further compromise patient privacy.


Statutory Background


I. B. Statutory background. State laws that are more stringent than federal standards will not be preempted.


This recognition of the Tenth Amendment is an extremely important safeguard.


Administrative Costs


I. C. Administrative costs. "Even if the rules proposed below were to impose net costs, which we do not believe they do, they would still be 'consistent with' the objective of reducing administrative costs for the health care system as a whole."


We believe that these regulations will impose significant burdens upon the care of the sick and may even render excellent, personalized care impossible in many cases, particularly if fear of the draconian penalties restricts the clinically necessary transmission of information in a timely fashion.


The rules are consistent with the objective only if "health care system" is very broadly defined to encompass many operations that most Americans do not consider to be part of medical care. It is doubtful that Americans would favor paying more for hospital care or physician visits in order to reduce the cost of unconsented research, federal monitoring of "providers," enforcement of regulations that no one even understands, the operations of health care monoliths already accused of many abuses, and the rationing of care. The definition of "health care system" is overbroad; moreover it begs the question of whether the Department of HHS or the federal government has the constitutional authority to monitor every transaction in a field of endeavor, especially a highly personalized one.


In effect, these regulations impose a heavy tax on the productive part of an enterprise (medical care) -- the part that is actually sought by individuals and that serves (or is intended to serve) their own interests -- in order to expedite the part that is invisible to or sometimes highly objectionable to those seeking or providing care. In other words, the sick and the injured, and those who care for them, bear the costs; others reap the benefits of any savings. For determining whether the regulations are consistent with the objective of reducing administrative costs, the costs and savings of various parts of the industry need to be assessed separately: e.g. direct patient care; third-party reimbursement; research; law enforcement; oversight; etc.


Summary and Purpose


I.E. Summary and purpose of the proposed rule. The Secretary notes that there is no individual cause of action for individuals whose privacy rights are violated.


We concur that this is a notable omission. We note the vast disparity between the enormous penalties imposed on those who violate a rule -- whether or not any individual is actually harmed thereby -- and the total lack of compensation to any individual who is harmed. Deterrence may be the rationale, but no evidence is available as to any efficacy for protecting patients, nor to the existence of net benefits once costs such as impediments to the timely provision of care are accounted for.


I.E. The secretary notes that "any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create."


This gap may be the patient's sole means of protecting his information against broad access to his medical records by government as well as vast private and quasi-governmental special interest groups.


The Secretary apparently recognizes the existence of statutory restrictions: "Although we are concerned that extending our regulatory coverage to all records might be inconsistent with the intent of the provision in HIPAA, we believe that we do have the authority to do so." It appears that once a piece of information has passed through any type of computer (as through a paper-to-computer FAX), the Secretary considers it to be within her jurisdiction, to use as well as "protect." We believe that to be overreaching by the executive branch.


I. E. 1. Applicability, b. Protected health information. "Under our proposal, most uses and disclosures would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. As discussed in section II.C. of this preamble, we propose to substitute regulatory protections for the pro forma authorization used today."



Expanded use, rather than protection, will be the actual effect of these regulations, whatever their true intent. The protection is merely a promise: if the patient gives the government and its authorized agents complete entry into his medical records, then the government will keep the information as safe as, say, his tax records (but not as safe as his record of video rentals). An unstated premise is that "unalienable" rights do not exist, only rights that may be automatically waived on the promise of regulatory protection, at least when the needs of society can be invoked.


The perception that electronic records are an open book to those who want to use them for purposes unintended and unforeseen by the subjects will hinder the development of electronic records, impair the quality of medical care as subjects withhold needed information, and destroy the trust in the patient-physician relationship.


I.E.4,5. Uses and disclosures with individual authorization and uses and disclosures for treatment, payment and health care operations.


It is notable that authorization will be required for uses that an individual is likely to find to be in his own interest: employment, disability benefits, litigation, or the development of marketing strategies to meet his needs more effectively. Authorization is not required precisely for those uses that are not in an individual's own interest. The latter uses may actually be more objectionable to him than the former. The Secretary has assumed the power to "balance" the individual's privacy with "other social values," such as smooth operation of the health care system and other "national priorities." The whole set of elaborate regulations is quite reminiscent of the constitution in totalitarian systems that guaranteed the same rights as U.S. Constitution, and then voided them with the phrase, "except as provided by law." (See the 13th bulleted point: "Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure.")


I.E.8. Administrative requirements and policy development and documentation.


This provision requires every "covered entity" such as a physician, under pain of federal prison, to develop the functional equivalent of a scaled-down police bureaucracy for its internal medical records procedures (even if complaints about physicians' use of medical records are nonexistent to rare). On its face, it is particularly absurd for a solo physician to be appointing a "privacy official."


At the same time, "noncovered entities," which are much more likely to threaten patients' privacy, are under no such obligation. In fact, it is the duty of the covered entity to monitor the noncovered entity and "punish" unacceptable practices, even though the only available punishment is to deprive the business partner of future business. Generally, such threats work well in the free market, but in an increasingly regulated market, they are severely hampered by the lack of available alternatives.






II. Provisions. A. Applicability. 1. Covered entities. "Health care providers who themselves do not directly conduct electronic transactions would become subject to the provisions of the proposed rule if another entity, such as a billing agent or hospital, transmits health information in electronic form in connection with a standard transaction on their behalf."


This provision imposes vicarious liability on physicians, who would be held responsible for transactions over which they have little if any control. They have no discretion about the occurrence of such transactions unless they withdraw from hospital practice. Physicians who fear that they cannot meet the federal requirements may try to avoid billing agents who transmit electronically, thus impeding the very activities the legislation is intended to facilitate.


II.A.2. Covered information. a. Legislative authority. "Health information is considered relatively 'safe' today, not because it is secure, but because it is difficult to access."


Indeed, health information is relatively safe today. Once it becomes easy to access, it will inevitably be much less safe, as the drafters of HIPAA recognize. These regulations will not increase safety but will compromise it further.


The only real safety of electronic information will be achieved if its original form of entry precludes unauthorized access, and if access can be gained only with patient consent and cooperation.


II.A.2.a. The Secretary apparently assumes that her authority is (or should be) plenary unless explicitly limited: "In HIPAA, when Congress intended to limit health information to its electronic form, it did so explicitly." Thus, the regulations are expanded to non-electronic media where they "support the overall goal of enabling electronic information interchange."


There is no inherent restriction in this caveat. Anything, even a physician's notes to himself, could be construed as supporting this goal. The Secretary's interpretation of the statute is overbroad: there is no constitutional authority to delegate such unrestricted power to an administrative agency.


II.A.2.a. "We are concerned about imposing additional burden with respect to health information that was less likely to present privacy concerns: paper records that are never reduced to electronic form are less likely to become broadly disseminated throughout the health care system."


The Secretary invites comment on this reasoning: we totally concur with this observation and applaud her prudent restraint in this regard.







II. B. Definitions. 4. Health care clearinghouses. "We propose to exempt clearinghouses from a number of the provisions of this rule...because in most cases clearinghouses would not be dealing directly with individuals."


We believe that clearinghouses, of all entities, should be covered precisely because they do not deal with individuals who might serve to constrain their actions. Capability of misusing data (where such misuse certainly does have the power to harm the individuals who are the subject of the information) should be the operative factor, not whether the entity "deals with individuals."


II. B. 7. Health plans. p. Other plans: "[T]he provisions of this rule generally would NOT apply to certain types of insurance entities, such as workers' compensation and automobile insurance carriers, other property and casualty insurers, and certain forms of limited benefits coverage, even when such arrangements provide coverage for health care services." Moreover, "nothing in this rule would be intended to prevent a health care provided from disclosing protected information to a noncovered insurance entity for the purpose of obtaining payment for services." Specifically, disclosure of information for determining an individual's fitness for work would not "be disturbed" by this rule.


This provides an obvious and giant loophole for entities intent on profiting from disclosure of information with the potential to be extremely harmful to an individual, as by affecting prospects of employment. This also appears to give carte blanche for disclosing any information as long as an insurer requires it as a condition of payment.


II.B. 20. "Law enforcement official" is defined to mean "an officer of the United States or a political subdivision thereof, who is empowered by law to conduct an investigation or political proceeding arising from a violation of, or failure to comply with, any law...."


This "new" definition is so broad that it could apply to any county or municipality official, even one without law enforcement training of the traditional type. Such an official might be on a fishing expedition for failure to comply with any of millions of pages of federal regulations totally unrelated to health care as generally understood or to crimes that lead to recognizable harm to any individual. As for investigating "health care fraud," HHS already has gained enormous power for issuing administrative subpoenas, and there is no justification for extending that power even further. Conveying expansive new powers to every official engaged in some form of "new" law enforcement is very far removed from the stated purpose of legislation to achieve "administrative simplification" of health care records. There is no explicit justification for it in the statute.


II.B. 21. Payment. "We offer a new definition of payment."


This is another "new" definition that vastly expands the power of government and other third party "payors," turning them into controllers as well. Ironically, Congress is now debating, and the Administration is advocating, legislation that is supposed to return medical decision making to physicians. "Protected" [highly accessible] "private" information is to be at the disposal of a wide array of agencies to review necessity and "appropriateness" of care, i.e. to predetermine or second-guess decisions made by patients and their chosen medical advisors.


Included among entities authorized to receive information for "payment," which includes all information, are employers. HHS explicitly considered and rejected the ideas of placing conditions upon such disclosures, lest conditions "disrupt some beneficial activities" [all undefined terms].


In our view, disclosures to employers should require patient authorization and be limited to information needed for the "beneficial activity." In fact, there appears to be an inconsistency in the rules, in that some disclosures to employers require authorization, but others─those related to the new definition of "payment"─do not.


II. B. 23. "Psychotherapy notes."


We agree that psychotherapy notes should be kept from scrutiny by anyone other than the psychotherapist. However, we note that these constitute only a portion of the psychiatric record, and numerous other portions, knowledge of which could be very detrimental to the patient, must still be made accessible (such as medication records and the summary of treatment, prognosis, and progress).


We believe that any physician's record may contain information that is just as private as psychotherapy notes. Any physician who is not a mere technician deals with the whole patient, including his mental and spiritual well-being. The Oath of Hippocrates states: "All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal." This Oath may be taken by any physician, not just psychiatrists.


By implication, HHS intends to assume the power to force physicians, under penalty of federal law, to violate a sacred Oath by revealing information that should be kept inviolate. For a physician whose religious beliefs require him to abide by his Oaths, this provision would constitute a prohibition on the free exercise of religion. We strenuously object to federal governmental rules that conflict with the requirements of professional ethics.



II. B. 29 Workforce. The Secretary recognizes that certain medical conditions or treatments that "individuals may believe are particularly sensitive, or which could be the basis of stigma or discrimination," and invites comments on whether such information should receive additional protections and how it should be identified.


We believe that the mere acknowledgement that specially protected information exists can make a person the object of stigma or discrimination. For example, if only psychotherapy, AIDS tests, and drug abuse information are kept segregated, then the individual with segregated information is already stigmatized. This is another reason why the default option with regard to protected medical information should always be NONdisclosure.


Introduction to General Rules


II.C. General rules. "Most uses and disclosures of an individual's protected health information would not require explicit authorization by an individual....We intend to strike a balance between the need to maintain the confidentiality of protected health information and the economic cost of doing so."


We believe that the Secretary's idea of substituting regulatory protection for the need for authorization is completely unacceptable. Individual medical records should be private, and that means that voluntary authorization must be given for all uses, with authorization limited to the information required for the purpose.


A patient may wish to make use of comprehensive prepayment plans for all medical expenses. These may require electronic records with extensive access to oversight personnel. We understand that when patients deal with third parties, they generally must make certain compromises. The patient is the one who should decide whether the financial benefit is worth the tradeoff. Some may wish to pay directly for most medical care and only use insurance for catastrophic expenses. They should be allowed to benefit from enhanced privacy protection.


The Secretary, however, apparently wishes to make information disclosure for a wide variety of purposes a condition of obtaining medical care, all the while denying such an objective. She is thwarted in full achievement of the objective only because Congress has not yet authorized her to regulate (control) records that never pass through a computer. Thus, a patient can obtain truly private care -- without providing information that can be used for an FBI dossier -- only by forgoing any benefits of electronic information processing, as well as the option of third-party reimbursement.


Treatment, Payment, and Health Care Operations


II.C.1.b. Health care operations (164.506(a)). The Secretary's definition of "health care operations" is so broad that she finds it more helpful to list things that are NOT "health care operations." This is the narrow range of activities for which "protected" health information may not be used without explicit authorization. These include marketing, insurance underwriting [is this unrelated to the payment function?], and employment determinations.


The definition of "health care operations" is far too broad. There should be a short list of activities for which information may be released (such as emergency treatment, situations constituting a clear and present danger to self or others, or evidence of a crime involving direct injury to person or property). Again, we believe that the default option should be NONdisclosure.


Introduction to Uses and Disclosures Without Individual Authorization


II.E. Uses and disclosures without individual authorization (164.510). "We believe such safeguards strike the right balance between encouraging national priority oversight activities and protecting individuals' privacy."


In effect, the Secretary is asserting the authority to circumscribe individual privacy to the narrowest possible realm, which is contrary to the stated purpose of both the statute and the regulations. Neither the statute nor the U.S. Constitution gives the Executive Branch the authority to define national priorities that override fundamental individual rights, or to monitor all medical care.


Note that in the Appendix to the Preamble, Provider Notice of Information Practices (as of 1/1/99), Subpart A, 164.504 Definitions, a "health oversight agency," which may use and disclose "protected health information" without authorization, includes any person, agency, or entity that performs (2) "other activity necessary for appropriate oversight of the health care system," of government benefit programs, for which health information is relevant to beneficiary eligibility, or of government regulatory programs for which health information is necessary for compliance with program standards."


In effect, this provision essentially gives the government unlimited access to patient medical records on a routine basis.


Public Health


II.E.1.b. "Public health activities" is given the sweeping definition of "the prevention or control of disease, injury, or disability." (164.510(b))


This provision gives the government the pretext to invade the bedroom, as well as every other area of the home or workplace or clinic, to ascertain whether a citizen is smoking, taking a vitamin supplement, watching a seditious video, or possibly experiencing a forbidden sentiment, as long as a government agent can invent some remote chance that disease or injury will occur somewhere in the population sometime as a direct or indirect result. This concept is constitutionally abhorrent. There is no justification for such sweeping authority in the statute, which simply states that "Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention." A rule of the executive branch cannot be lawfully used to change the very definition of terms in previous laws.



Health Oversight


II.E.2.a. "Importance of oversight and need for protected health information" (164.510(c)). Oversight activities, the Secretary states, are needed to "ensure compliance with statutes, regulations, and other administrative requirements applicable to public programs and to health care delivery."


The glaring omission from these regulations is any means of assuring accountability in the government agents and private partners engaged in compliance monitoring. Although these rules grant agents in all branches of government access to the most intimate patient information in the interest of enforcing hundreds of thousands of pages of rules, there are no rules applicable to these agents, much less any means of enforcement. This violates the basic precept that all citizens are equal under the law in that it creates a federally privileged class. The privileged class may access patient information without patient consent, whereas "covered entities" are subject to criminal penalties for comparable actions.


Judicial and Administrative Proceedings


II.E.3.b. Proposed requirements: disclosure of protected health information in judicial or administrative proceedings.


The Secretary acknowledges that there are already means for obtaining and using such information through process of law. No need or constitutional authorization is cited for expanding such use.


Law Enforcement


II.E.5.i. (164.510(f)). "If a misperception were to develop that law enforcement had instant and pervasive access to medical records, the goals of this proposed regulation could be undermined."


We agree. Nonetheless, whatever the perception, the reality of these regulations is that "law enforcement," including agencies not concerned with protecting citizens against the dangers that concern them (e.g. violent crime), does acquire vastly expanded access.



Government Health Data Systems


II.E.6 (164.510(g)). Government health data systems: "The data are an important resource that can be used for multiple policy evaluations."


It appears that citizens could be nonconsenting research subjects in a wide variety of public policy experiments, to be defined later. At the same time (see section b), federal burdens and controls will be expanded to non-federally funded research, further consolidating the federal monopoly on research. In other words, the citizen will have to participate in federally authorized projects without consent, but will be denied the right to consent to other projects, unless these meet federal requirements (which could be designed to make it nearly impossible for small entities to engage in research).




II.E.9g (164.510(j)). "If a covered entity chooses to obtain individual authorization for use and disclosure of information for research, the requirements applicable to individual authorizations for release of protected health information would apply. These protections are described in 164.508."


Requirements for both federally and privately funded research, if done by "covered entities," related to actual treatment, and performed with patient consent, will become more onerous and will impede new discoveries. Patients should be allowed to waive burdensome bureaucratic requirements if they choose in order to facilitate longitudinal studies. For example, the requirement to notify patients each time a record is disclosed may make it impossible to use large amounts of data because of expense and logistical difficulty in a mobile population.


It is paradoxical that research that patients have personally authorized will be far more heavily burdened than research that is being carried on without their consent or knowledge, and which is far less likely to bring personal benefit to the subjects.


Introduction to the Rights of Individuals: Notice of Information Practices


II.F.1.c.ii. The rights of individuals. Rights and Procedures for written notice. Content of the notice. Required Statements: "We propose that the notice inform individuals that they have the right to complain to the covered entity and to the Secretary if they believe that their privacy rights have been violated" (164.518(a)(2)).


In essence, the right to complain is the only right that the Secretary recognizes for individuals. Providers are required to give them substantial standardized information about how their records may be used, but the only value of this paperwork may be to notify the patients that no information is really private, once it is disclosed to a health care provider. The result will be exactly as the Secretary describes in the absence of protections that the patient considers meaningful: the withholding of information, to the detriment of medical care.




Notice of Information Practices (164.512)


II.F.1.e. Plain language requirement. The Secretary proposes requiring covered entities to make a "reasonable effort" to use plain language in the notices they develop. This includes the use of "common, everyday words in sentences."


The Secretary could expedite compliance with the proposed rule by providing an example in her communications with covered entities.


In fact, the use of "common, everyday" words might not be especially informative if the definition is complex or is changed at will to meet the government's needs. The Secretary requires several pages to define "State law," "provision of State law," "privacy law," "contrary to," and "more stringent."


Access for Inspection and Copying


II.F.2.d.i. Time limits (164.514(d)(2)). The Secretary proposes that plans and providers be required to respond within 30 days to a request for inspection and copying. The Privacy Act and Freedom of Information Act are used as a basis for determining what is "reasonable."


For obtaining information that may be crucial for diagnosis and treatment, a delay of 30 days is far too long. The time required for government agencies to search their files to respond to a FOIA request is a totally inappropriate standard of comparison. Today, when the need is urgent, most health care providers should be able to respond almost immediately, unless the records in question have been inactive for many years. This long time lag could be used as a means for health plans to maintain control over patients' access to services.




II. J. 1. c. Compliance and enforcement. The proposed 164.533(d)(2) "would affirmatively establish their obligation to provide information to the Secretary upon demand."


Criminal penalties are applicable to lack of affirmative compliance; thus, this appears to us to violate the Fifth Amendment protections against forced self incrimination.


Small Business Assistance


III. Small business assistance. "The length, and at times complexity, of the preamble discussion may impress small businesses as creating overly burdensome and costly requirements." Nevertheless, the Secretary opines that the rule will be easily administrable.


If there is ease of administration, this is accomplished through the abolition of the requirement for informed consent for release of information for purposes of treatment and payment. However, the mechanisms for obtaining consent are already in place, so it is hard to impute cost savings to offset the cost of the new administrative machinery. If the entity ever discloses health information for other purposes, the entire apparatus needs to be created regardless of how often it is used.




Regulatory Impact


IV. Preliminary regulatory impact analysis. The Secretary estimates a cost of $1 billion in the first year of implementation. This estimate disregards "administrative simplification" costs as well as a large number of other costs (implementation of the "minimum necessary disclosure" principle; creating de-identified information; the creation of a privacy board; etc.)


It is fair to say that the cost of the regulation is unknown but much higher than $1 billion. The cost of $0.46 per health care encounter "to improve health information privacy" may sound reasonable. However, the true standard of reasonableness is whether a person would voluntarily pay it, and this cost will be involuntary. Moreover, the cost should probably be multiplied many times for small "providers," as the cost of regulation is always disproportionately high for small entities (and often prohibitive). Moreover, the "improvement" in "privacy" is an abstraction at best, and a chimera or fraud at worst. In fact, the regulation may resemble the FAA regulation requiring each passenger to be asked the "security questions." This costs billions of dollars, accomplishes nothing, and distracts personnel who might otherwise be watching for security breaches (like people sneaking onto airplanes). The FAA regulation, however, does not directly impair security, whereas these privacy rules effectively abolish privacy with respect to government and its private partners.


IV. A. In justifying the cost, the Secretary states that "the mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."


This is a false and very dangerous premise. In fact, preservation of limited constitutional government, with protection of unalienable individual rights, is of transcendent importance. Many have sacrificed health or life itself to this end. To use health as a pretext to impair rights will ultimately destroy our health as well.


IV.C. Need for the proposed action. The Secretary makes reference to the importance of the Fourth Amendment, with emphasis on the fact that the right is not absolute. The key, once again, is the definition of terms, in this case, "unreasonable."


Anything that theoretically furthers the pursuit of a transcendent value such as health is presumably "reasonable." Having an administrative agency determining the limits of an unalienable right is very dangerous. There is no statutory basis for the Secretary to be limiting the application of the Fourth Amendment, even if such a provision were constitutional.


IV. G. Examination of alternative approaches. 3. "We also intend to prohibit covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law....[S]uch authorizations could not provide meaningful privacy protections or individual control and could in fact cultivate in individuals erroneous understandings of their rights and protections."


This is an extremely interesting provision, of the type that prohibits anything that is not required. Apparently, asking for consent implies that the individual has the right to refuse consent, which would imply that the entity may not disseminate the information without consent, and that this whole proposed regulation violates the individual's rights─ as we believe it does.



IV. G. 5. Right to restrict uses and disclosures. "We propose to permit in 164.506(c) that individuals be able to request that a covered entity restrict further uses and disclosures of covered health information...."


Note that the entity is not obligated to grant the request, if it "do[es] not wish to do so." Nor may it grant the request if release of information is mandated by law.


We agree that the right to make a request should not be limited to self-paying patients.

This "right" is, however, meaningless if the government has effectively made it impossible for a health care provider to grant the request.




Conclusions: We recommend that this rule be withdrawn and rewritten entirely to conform to statutory and constitutional limitations. In the event that it is implemented, we believe the only privacy protection available to individuals is to eschew third-party payment or treatment that involves an electronic record.

We believe that the individual owns the information pertaining to himself or herself in the medical record and should be in control of its dissemination. The individual should be permitted to authorize uses that might not be permitted in the rule (such as research), and should not be forced, in effect, to have information released for purposes he or she does not approve as a condition of obtaining medical treatment. The use of the individual's information should be determined by private contractual arrangements, as with insurers. The purpose of these regulations should be to establish standards for the electronic transmission of health information to protect against use and disclosure not authorized by the patient. The standards should not impose costs upon the ordinary provision of medical care, nor should they subvert the Fourth Amendment, nor should they serve as a backdoor for implementing a unique national health identifier (which most Americans strenuously oppose).



Respectfully submitted,




Jane M. Orient, M.D., Executive Director