In 1999 Americans should never have to worry about nightmare scenarios depicted in George Orwell's 1984. I am determined to put an end to such violations of privacy. That's why I'm honoring the pledge I made in the State of the Union Address and using the full authority of this office to create the first comprehensive national standards for protection of medical records.1
--President Bill Clinton, October 29, 1999
President Clinton recently unveiled a large body of federal regulations ostensibly designed to protect Americans' medical privacy. In the statement announcing the proposed U.S. Department of Health and Human Services (HHS) regulations on privacy, the President said the regulations "would greatly limit the release of private health information without consent."2 Nothing could be further from the truth: The pending medical privacy regulations will do little to protect patients' medical privacy. Instead, they will allow the federal government--not individuals--to decide who has access to patients' private medical information and whether patient consent is necessary for the release of that information to a myriad of other entities.
This fundamental--and dangerous--shift from current state laws, which for the most part require patient authorization before information can be shared, is unfortunate. If these proposed HHS regulations are adopted, the Administration will have initiated the greatest invasion of medical privacy in recent history.
The Scope of the Problem.
When patients go to the doctor, they expect that the sensitive information they provide will be kept confidential. This basic freedom brings peace of mind during what are often very stressful circumstances. Unfortunately, under the guise of protecting the privacy of Americans, the federal government is poised to take away from patients both their right to privacy and their peace of mind. The proposed HHS regulations would enable private and government entities to track patients' medical information electronically without their consent.
The crisis facing Americans in losing the right to medical privacy is representative of broader problems within the health insurance market. The fundamental problem of protecting medical privacy is aggravated by the fact that ordinary Americans do not own and control their health insurance policies as they do their automobile or homeowners insurance.3 Because most Americans obtain insurance coverage through their employer, it is the employer, not the worker and his or her family, who sets the terms and conditions of coverage and owns and controls the policy. For most families, the insurance company is not an agent who would act on their behalf in matters of benefits, treatments, the physicians they seek, or the level of privacy they enjoy.
For Americans in government health programs, privacy is subject to bureaucratic decisions over which they have no control. An excellent example of the potential for abuse in this system is the Administration's 1999 decision to collect detailed and sensitive personal information on Medicare patients--and even non-Medicare patients--receiving home health services.4 If patients refuse to share personal information, then the government requires home-care workers to collect the information anyway without the patient's consent.
Forging a Better Policy.
Members of Congress should safeguard Americans' medical privacy. Congress should enforce the use of patient consent forms, prohibit the use of a "unique health identifier," and make sure that federal rules or regulations do not supersede the laws of the states that protect the medical records of their citizens. It should eliminate obstacles in current federal tax law that make it virtually impossible for individuals and families to own and control their own health insurance. And it should ensure that individuals and families, including those covered by Medicare, are guaranteed the right to pay a physician privately for medical services of their choice and are not forced to submit claims to third-party administrators if they do not wish to do so. It also should remove the restrictions that limit the use of medical savings accounts (MSAs), which would facilitate direct private-sector payment for medical services.
In 1994, Americans and their representatives in Congress resoundingly rejected the Clinton Administration's massive plan to "reform" health care. Part of its plan called for assigning a "unique health identifier" to every American and issuing a "smart card" with the patient's ID number in order to track each person's medical treatment electronically from cradle to grave.
Although the Clinton health plan did not receive a single vote in Congress in 1994, Congress and the Administration essentially adopted this critical section of the plan in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).5 This law, known as the Kassebaum-Kennedy bill, includes a section titled "Administrative Simplification" that is nearly identical to one in the original Clinton health plan.6 It requires that a unique health identifier be created for every (1) individual, (2) health plan, (3) health care provider, and (4) employer, which would be used for transmitting medical information electronically. To protect the requirement of electronic transmission of this information, HIPAA also mandated that if Congress did not pass a medical privacy law by August 21, 1999, the Administration would have authority to regulate the issue of individual medical privacy.
Congress failed to reach a consensus on a medical privacy bill by the HIPAA deadline. The authority to set up medical privacy regulations automatically therefore was transferred to the U.S. Department of Health and Human Services. HHS issued its proposed medical privacy regulations on November 3, 1999. The comment period on the proposed regulations, initially scheduled to end January 3, 2000, was extended through February 17, 2000, largely because of congressional and public pressure.
In the meantime, Congress placed a one-year moratorium on the unique health identifier, stating that no federal funds would be used to implement such a plan until Congress had approved its specific details. This statutory restriction was included in the recently enacted appropriations bill (H.R. 3194) signed into law November 29, 1999.7
But this appropriations measure does not prevent the government from identifying and collecting personal health information without patient consent. In fact, if the Administration's medical privacy regulations are adopted as proposed, HHS would be able to collect information--including genetic information--without patient consent. In effect, the new federal regulations could give the government the ability to tag and track individuals' medical information through DNA identification or Social Security numbers without their knowing such tracking and data compilation were taking place. Thus, the Administration's proposed "privacy" regulations are a far cry from legislation that would put patients back in control of their personal medical information.
President Clinton promised Americans that his proposed privacy regulations "represent an unprecedented step toward putting Americans back in control of their own medical records."8 The reality, however, is that the regulations would remove patients from the driver's seat and place the federal government in charge of deciding when, how, and to whom their personal medical information would be shared without their consent. As the HHS regulations state,
We also propose to prohibit covered entities [health plans, providers, hospitals, clinics, etc.] from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law.9
For most health care services, this means doctors and hospitals would be prohibited from asking their patients whether they want their information shared. James Pyles, a Washington-based attorney specializing in privacy law who represents the American Psychoanalytic Association, has warned that eliminating authorization by the patient of disclosure of information related to medical treatment, payment, or health care operations effectively abolishes any patient right to privacy for most health care services.10
The proposed HHS regulations differ from state laws regarding medical privacy. A recent survey by the Health Privacy Project noted that, "Overall, the most common restriction [protection] found in state statute is that patient authorization must be secured prior to health information being disclosed."11 The proposed federal regulations would strip Americans of the authority to decide who can access their medical information.
In addition to removing requirements to obtain patient authorization, the proposed HHS regulations would give countless entities legal access to patients' medical information. Citing a congressional report, HHS notes in its published regulations that, "Health information is considered relatively `safe' today, not because it is secure, but because it is difficult to access. These standards improve access and establish strict privacy protections."12 Essentially, this statement illustrates the department's plans to allow more people to see patients' medical records. Contrary to what HHS promises, letting greater numbers of individuals and organizations access a patient's confidential medical records would result in less, not more, privacy. HHS notes,
In the past, information that may not have been legally protected was de facto protected for most people because of the difficulty of its collection and aggregation. With the dramatic proliferation of large electronic databases of information about individuals, growing software-based intelligence, and the declining cost of linking information from disparate sources, such information could now be more readily and cost-effectively accessed.13
Yet, if the proposed regulations are adopted, many types of people would have legal access to a patient's medical records without the patient's consent. Among those that could legally obtain access to individuals' medical records without their consent or knowledge would be law enforcement officials, insurance agencies, and banks, as well as many others who transmit and receive electronic medical information. As HHS states,
After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization for the following national priority activities and activities that allow the health care system to operate smoothly.14
- Circumstances where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure.
Many organizations have endorsed the pending medical privacy regulations under the assumption that the federal rule will not preempt more stringent state privacy laws. However, most of these groups overlook a very important aspect of the preemption issue: It is not always clear whether or not a state law is more stringent than federal regulations.
The HHS definition of "more stringent" is confusing and ambiguous. HHS cannot guarantee that patients will not be stripped of their state-legislated right to medical privacy until the federal government clearly defines what it means by "more stringent." For example, consider this example of how the new federal rule could preempt a state law:
John Doe resides in a state that requires patient authorization before personal information can be shared; the state penalty for disclosing information improperly is $1,000. However, the new federal rule stipulates that patient authorization is not required for disclosing information related to medical treatment, payment, or health care operations; the federal penalty for improper disclosure is $25,000. The federal government could interpret its new rule as "more stringent" because it imposes a greater penalty. In truth, the state law would be more stringent by providing more patient control and greater confidentiality. The state law would not permit Mr. Doe's personal medical information to flow over the Internet without his consent, while the federal rule would.
HHS claims that the federal rule is needed because states do not provide adequate protections for medical privacy. It bases this claim on findings from a Health Privacy Project survey of state statutes. However, the authors of that report admit that they did not examine state common law, where much medical privacy-related law exists. In its preface, the report states:
At the outset, it is important to say what this report is, and what it is not. The State of Health Privacy includes a summary of each state's major statutes related to the confidentiality of personal health information. The survey is specifically and exclusively a survey of statutes, not laws. This distinction is important: we did not research or include regulations or common law, both of which ultimately must be understood in order to appreciate the full range of protections at the state level.15
In other words, in declaring that people are better off with the new federal privacy rule, the most comprehensive review of state medical privacy standards available did not include a comprehensive review of all state law. At the same time, the HHS regulations note that, "much State `privacy law'--e.g. the law concerning the physician/patient privilege--is not found in statutes, but rather in State common law."16
It is understandable that a thorough review of state common law--including regulations and court opinions--would be difficult if not practically impossible to conduct. However, HHS misleads the public by stating that it is providing greater privacy protection, when in fact it has not analyzed much of the existing state privacy law. HHS cannot declare for sure whether federalizing medical privacy rules will provide greater or weaker protection for individuals.
Currently, most state laws provide private right-of-action provisions, which grant people the ability to bring lawsuits when a statute has been violated, according the Health Privacy Project survey.17 Yet, under the proposed federal regulations, individuals would not be able to sue if their medical privacy is breached. The proposed regulations clearly state:
There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals' trust in the system.18
What happens when an individual's medical privacy is breached? The federal government may impose penalties on the guilty parties, such as providers, hospitals, or other organizations. The individual, however, would not be compensated for the breach. Yet it is the patient, not the federal government, who should be able to secure remuneration for wrongdoings.
Additionally, the proposed HHS regulations explain that, even though a great number of people will have access to patients' medical information without consent, the rule and penalties would apply only to covered entities, which would include health care providers, health plans, and health care clearinghouses (organizations that process data). It is not clear that the rule and penalties would be applied to the many other categories of individuals and entities (such as law enforcement agencies) that would have legal access to patients' information without their consent. The HHS regulations read:
The HIPPA legislative authority generally does not bring the entities that receive disclosures pursuant to this section, including public health authorities, oversight and law enforcement agencies, researchers, and attorneys, under the jurisdiction of this proposed rule. We therefore generally cannot propose restrictions on the further use and disclosure of protected health information obtained by the recipients of these disclosures (unless the recipient is also a covered entity).19
All told, the privacy regulations would not apply to the wide range of individuals and entities (including government agencies) that will have new, unfettered access to patients' medical information without their consent.
There are several important medical privacy-related problems that HHS correctly identifies in its proposed regulations. First, the agency acknowledges that American patients face greater privacy risks today than they have in the past:
The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, also strengthens the arguments for giving legal protection to the right to privacy in protected health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, where technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. Of additional concern, such services might extend to providing detailed genetic information about individuals, without their consent.20
Many persons likely believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.21
HHS has correctly identified that one of the main reasons Americans lack medical privacy is because of the market failure in the purchase of health insurance. Employer-sponsored health insurance receives a tax exclusion, while individually purchased health insurance does not. This distorts the health insurance market and imposes a profound inequity on consumers. As a practical matter, it means that Americans can get only one type of health insurance--employer-based policies--without suffering a tax penalty. The result is that most Americans purchase health insurance coverage through their place of employment. In turn, the employers obtain access to their medical information, including what kinds of prescription drugs they take, what type of mental health services they seek, and whether or not they sought alcohol rehabilitation. On this access to private information, HHS notes:
The employee may have no voice in the privacy or other terms of the [health] plan, facing a take-it-or-leave-it choice of whether to be covered by insurance. The incentive of employers may be contrary to the wishes of employees--employers may in some cases inappropriately insist on having access to sensitive medical information in order to monitor employees' behavior and health status. In light of these complexities, there are likely significant market failures in the bargaining on privacy protection.22
HHS could not be more accurate in this assessment. The agency fails, however, to acknowledge that the market failure exists because distortions in the federal tax code force individuals to buy health insurance through their employers. As long as employers are in charge of health insurance plans, they will determine whether or not the health care information can be shared.
Repeal the provisions in the Administrative Simplification section of the HIPAA that permit tracking of patients' electronic medical information and assignment of unique health identifiers without patient consent.
This section creates new electronic medical databases from individual medical records without requiring patient consent and it mandates the adoption of "unique health identifiers" for each American. Representative Ron Paul (R-TX) has introduced H.R. 220 to repeal the creation of the unique health identifiers. This is an important step beyond Congress's current one-year moratorium, but it is not enough. Congress should prohibit the collection and sharing of electronic data collection without patient authorization.
Make sure that federal rules do not infringe on states' rights to protect patient privacy.
The federal government should not supersede states' privacy regulations simply because state laws differ across the nation. As it stands, it is not clear how HHS will interpret its rule regarding state preemption. HHS could promise today that it would not preempt state laws but later redefine the federal medical privacy regulations to do so. Congress should establish an unambiguous policy to ensure a federal medical privacy rule enforces--rather than eliminates--the requirement that a patient consent to the disclosure of all health care information. The only exception to this rule should be for law enforcement officials who have obtained a warrant.
Change the federal tax code to give individuals and families ownership and control of their health insurance policies.
Today, Americans can get unlimited tax relief for the purchase of health insurance only if they obtain that insurance through their employer. The federal tax code should not exclusively favor employer-sponsored health insurance over individually purchased health care. Individuals should be able to select the plans and benefits they want on the terms and conditions that seem best to them, including the protection of medical records, without suffering a tax penalty. They should also be permitted to set aside money tax-free in medical savings accounts (MSAs) to pay for medical services out-of-pocket, without having to pass sensitive claims information through the bureaucratic apparatus of an insurance company or a third-party administrator.
- Ensure that all Americans--even those enrolled in Medicare Part A--can contract privately for health care services.
As long as the government or private health insurance plans are paying patients' bills, they will have a legitimate need to review patients' medical records. They will want to make sure that patients are receiving quality medical care for the amount of money they are contributing. However, the only way patients can avoid third-party and government intrusion into their personal health care is to contract privately for medical services and pay for those services out of pocket.23 Private contracts provide the best means to ensure strict patient-doctor confidentiality. The federal government should not restrict the use of private contracts, especially among seniors enrolled in the compulsory Medicare hospital insurance program (Part A). Those wishing to pay privately for services already covered by the government should be permitted to do so.
President Clinton has declared that the medical privacy regulations recently released by the Department of Health and Human Services would give patients greater control over their medical records. In fact, however, the proposed regulations would strip individuals of their ability to consent to most disclosures of their personal and very private medical information.
Patients who go to a doctor for medical treatment and bare their bodies and souls should be assured that personal, sensitive information they provide to the physician will be kept confidential. That is one of the basic freedoms Americans should enjoy with peace of mind. Unfortunately, under the guise of protecting the privacy of Americans, the federal government is poised to take away both this freedom and this peace of mind. Congress should take specific steps to restrict access to patients' electronic medical records without their consent. Individual patients--not the federal government--should decide when, why, and to whom their personal medical information will be shared.
Sue Blevins is founder and President of the Washington, D.C.-based Institute for Health Freedom.
3. For a discussion of the relationship between medical privacy and tax reform, see Stuart M. Butler and Carrie J. Gavora, "How Tax Reforms Would Help Protect Patient Confidentiality," Heritage Foundation Backgrounder No. 1242, January 19, 1999.
4. For a discussion of the initial Medicare rules proposing data collection on Medicare patients in nursing homes, see Robert E. Moffit, "HCFA's Latest Assault on Patient Privacy," Heritage Foundation Executive Memorandum No. 580, March 22, 1999.
7. A moratorium on funding for the unique health identifier was included in the Fiscal Year 2000 Labor HHS Education Appropriations (H.R. 3424), which was incorporated into the Fiscal Year 2000 Consolidated Appropriations Act (H.R. 3194). H.R. 3194 was signed into law (Public Law 106-113) November 29, 1999.
9. U.S. Department of Health and Human Services, "Standards for Privacy of Individually Identifiable Health Information, Proposed Rule," Federal Register, November 3, 1999, Vol. 64, No. 212, p. 59941.
11. Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, "The State of Health Privacy: An Uneven Terrain," at http://www.healthprivacy.com/resources/statereports/exsum.html.
15. Health Privacy Project, at http://www.healthprivacy.com/resources/statereports/exsum.html.
17. Health Privacy Project, at http://www.healthprivacy.com/resources/statereports/exsum.html.
23. Currently, among government health programs, there are explicit legal obstacles only to contracting privately for medical services in the Medicare program. For an account of the current Medicare law, see Robert E. Moffit, "Congress Should End the Confusion Over Medicare Private Contracting," Heritage Foundation Backgrounder No. 1347, February 18, 2000.