CDT Testimony - Med Privacy (6/14/96)

Statement of

Janlori Goldman
Deputy Director
Center for Democracy and Technology

Before the
House Committee on Government Reform and Oversight
Subcommittee on Government Management, Information and Technology
on
Medical Records Confidentiality
June 14, 1996

Overview

The Need and Demand for Federal Privacy Protection

Consensus Exists
Misuse of Personal Health Information
Consequences of Not Protecting Personal Health Information

Principles for a Health Privacy Policy

Conclusion

Footnotes

Chairman Horn and Members of the Subcommittee:

I. Overview

My name is Janlori Goldman and I am the Deputy Director of the Center for Democracy and Technology (CDT). CDT is a non-profit, public interest organization dedicated to preserving free speech, privacy and other democratic values on the Internet and other interactive communications media. I appreciate the opportunity to testify before you today on behalf of CDT in support of the need for strong, comprehensive federal legislation to protect the confidentiality of medical records.

One of CDT's primary goals is the passage of federal legislation that establishes strong, enforceable privacy protection for personally identifiable health information. We believe that comprehensive legislation that protects the privacy of health information is critical. The public will not have trust and confidence in the emerging health information infrastructure if their sensitive health data is vulnerable to abuse and misuse. We commend the efforts of Chairman Horn and Representative Gary A. Condit for their leadership towards enacting legislation to protect the privacy of health information.

Presently, there is no comprehensive federal law that protects peoples' health records. However, a Louis Harris survey found that most people in this country mistakenly believe their personal health information is currently protected by law. And most people mistakenly believe they have a right to access their own medical information. In fact, only 28 states allow patients access to their own medical records and only 34 states have confidentiality laws. Federal privacy policy is urgently needed to address the increasing demands for health information by those outside the traditional doctor-patient relationship. Information demands of insurance companies, managed health care companies, researchers, employers and law enforcement are eroding the doctor-patient confidentiality that is central to health care. CDT believes Congress must act to protect the privacy of personally identifiable health information so that our laws will finally conform, to some extent, with the American public's perception and expectation that their sensitive medical records are confidential.

Technological innovations that allow medical records, data and images to be transferred easily over great distances, impacts our country in significant ways. The development of a national information infrastructure and information superhighway are changing the ways that we deal with each other. Traditional barriers of distance, time and location are disappearing as information and transactions become computerized -- few relationships in the health care field will remain unaffected by these changes. In the absence of any Congressional action, the collection and use of personally identifiable health information will continue to occur within electronic, networked environments without privacy protections.

But while this information revolution may hold great promise for enhancing our nation's health, CDT and others believe that personal health information, in both paper and electronic form, must be protected by strong, enforceable privacy rules. Even useful technologies pose potential risks to privacy, where an individual's need to keep information confidential is forced to take a back seat in the drive to lower costs, increase efficiency and facilitate health research through automation.

Last Congress, this Subcommittee held hearings on the Fair Health Information Practices Act, sponsored by Representative Condit, and co-sponsored by Chairman Horn, Representative Craig Thomas, and others. The bill, H.R. 435, was approved by the full Government Operations Committee as part of its ongoing consideration of health care reform.¹ Testifying in support of H.R. 435 last Congress were industry representatives, privacy and consumer advocates and health policy specialists, including: Rep. Nydia Velazquez (D-NY); Nan Hunter, Department of Health and Human Services; Dr. Alan Westin, Columbia University; John Baker, Equifax, Inc.; Dr. Donald Lewers, American Medical Association; Fredric Entin, American Hospital Association; Joel E. Gimpel, Blue Cross and Blue Shield Association, representing the Workgroup on Electronic Data Interchange; Kathleen Frawley, American Health Information Management Association; Dr. Richard Barker, IBM Corporation; Dr. Martin Sepulveda, IBM Corporation; Robert S. Bolan, Medic Alert Foundation International; and Professor Paul Schwartz, University of Arkansas Law School. In January, 1995, Representative Condit reintroduced H.R. 435. Representative Jim McDermott (D-WA) recently introduced H.R. 3482, also aimed at protecting personal health information. Our testimony today outlines the need and demand for federal privacy protection, and key principles that should be embodied in any comprehensive legislation protecting health privacy.

II. The Need and Demand for Federal Privacy Protection

A. Consensus Exists

A consensus exists that federal legislation is needed to protect the privacy of personal health care records. In 1993, a conference in Washington, D.C. was co-sponsored by the U.S. Office of Consumer Affairs, the American Health Information Management Association, and Equifax. Panelists from the American Medical Association, CIGNA Health Care, the U.S. Public Interest Research Group, Computer Professionals for Social Responsibility and IBM urged policymakers to address the issue of health information privacy.

At the conference, Louis Harris and Associations released their Health Information Privacy Survey, prepared with the assistance of Dr. Alan Westin, a privacy expert at Columbia University. The survey found that the majority of the public (56%) favored the enactment of strong comprehensive federal legislation governing the privacy of health care information. In fact, eighty-five percent (85%) said that protecting the confidentiality of medical records was absolutely essential or very important to them. Most people wanted penalties imposed for unauthorized disclosure of medical records (96%), guaranteed access to their own health records (96%) and rules regulating third-party access.

Buttressing these findings, another 1992 Harris survey revealed that nearly ninety percent (90%) of the public believed computers make it easier for someone to improperly obtain confidential personal information. Twenty-five percent (25%) of the public believed they had been a victim of an improper disclosure of personal medical information.

A number of studies have determined that a federal law is needed to protect peoples' medical records. Georgetown University Law Professor Larry Gostin concluded that a federal preemptive statute based on fair information practices was necessary to protect personal privacy as networked health information databases continued to grow.² In 1994, the Office of Technology Assessment (OTA) issued a report entitled Protecting Privacy in Computerized Medical Information, which addressed the consequences of computerizing medical records on individual privacy. In recommending comprehensive federal legislation, OTA found that:

[t]he expanded use of medical records for non-treatment purposes exacerbates the shortcomings of existing legal schemes to protect privacy in patient information. The law must address the increase in the flow of data outward from the medical care relationship by both addressing the questions of appropriate access to data and providing redress to those who have been wronged by privacy violations. Lack of such guidelines, and failure to make them enforceable, could affect the quality and integrity of the medical record itself.³

The Institute of Medicine (IOM) of the National Academy of Science released a study that focused on the risks and opportunities associated with protecting the privacy and confidentiality of personally identifiably health data. The IOM report recommended that Congress enact legislation to preempt state laws to establish a uniform requirement for the confidentiality and protection of privacy rights for personally identifiable health data. It also suggested that Congress create a Code of Fair Health Information Practices to ensure the proper balance between required disclosures, use of data, and patient privacy.

Currently, the National Research Council (NRC) is preparing a report on health care organizational applications of privacy and security by analyzing the distribution and flow of health care information among patients, providers, and third-party institutions. The NRC plans to issue its report on organizational practices that support the security and confidentiality of electronic health care information by the end of 1996.

B. Misuse of Personal Health Information

The unauthorized disclosure of personal health information can have disastrous consequences (see attached news stories and editorials). New York Congresswoman Nydia Velazquez won her House seat only after overcoming the results of an unauthorized disclosure. Her confidential medical records -- including details of a bout with depression and a suicide attempt -- were faxed to a New York newspaper and television stations during her campaign. In another instance, a journalist disguised himself as a doctor, obtained the medical record of an actress, and published that she had been treated for a sexually transmitted disease.

More common, and in some ways more troubling than the well-publicized privacy invasions of public figures, are the consequences suffered by ordinary individuals whose privacy has been compromised by the disclosure of medical information. For instance, federal auditors demanded the names of patients seeking confidential AIDS treatment at a Boston clinic. Once the auditors obtained the names, they disclosed the information to other agencies.⁴ The Harvard Community Health Plan, a Boston H.M.O., admitted to routinely entering detailed notes of psychotherapy sessions into its computer records, which were then accessible by all clinical employees.⁵ In Maryland, eight Medicaid clerks were prosecuted for selling computerized record printouts of recipients' financial resources and dependents to sales representatives of managed care companies.⁶ Even more common are the practices of some H.M.Os of sending letters to employers detailing the health problems of their employees. Surprised individuals have also discovered that personal problems they discussed with employee assistance program counselors became common knowledge among their co-workers.⁷ There are a number of other well-documented instances of breaches of health privacy.⁸ Undoubtedly, there are millions of similar breaches that occur either without the knowledge of the individuals harmed or outside of the media's spotlight.

The need for comprehensive federal legislation becomes more imperative as the U.S. Court of Appeals for the Third Circuit recently ruled that an employer's right to access their employee's health records outweighed the employee's right to privacy in their health information. In Doe v. Southeastern Pennsylvania Transportation Authority,⁹ the court overturned a $125,000 jury's award to an employee who was taking the antiviral drug AZT and whose infection with HIV became known to co-workers due to a breach in confidentiality of the employer's prescription drug benefits plan. While the Court agreed that employees have a constitutional privacy right in their prescription drug plan records, it found the right was limited by their employer's interest in monitoring such plans to determine fraud, drug abuse and excessive costs. The majority's decision rested on the fact that this employee suffered no adverse employment action, such as harassment or demotion, as a result of the unauthorized disclosure. Dissenting in the decision, Judge Lewis stated, "I hope I am wrong, but I predict that the court's decision in this case will make it easier in the future for employers to disclose their employees' private medical information, obtained during an audit of the company's health benefit plan, and to escape constitutional liability for harassment or other harms suffered by their employees as a result of that disclosure."¹⁰

Errors found in medical records have also been difficult to correct and control. For instance, Mary Rose Taylor of Springfield, Massachusetts was denied health insurance for over a year because of a computer error at the Medical Information Bureau (MIB), a database of medical information used by insurance companies. MIB reported that Ms. Taylor had an abnormal urinalysis, even though she had only taken a blood test. Ms. Taylor was forced to go to the insurance commissioner of her state to correct the error -- and it was only then that she finally received health insurance.

C. Consequences of Not Protecting Personal Health Information

Despite the public and private horror stories about breaches of privacy, many Americans trust that the information they share with their doctor is kept confidential. Indeed, the traditional doctor-patient relationship is intended to foster trust and to encourage full disclosure. However, once a patient's information is submitted to a third-party payor, or to any other entity, the ethical -- and sometimes legal -- relationship between doctor and patient evaporates, putting patient privacy at risk. In fact, in a Harris survey, 93% of those termed "leaders", including hospital CEOs, health insurance CEOs, physicians, nurses and state regulators, believe that third party payors need to be governed by detailed confidentiality and privacy policies.

Within our current health care system, many individuals engage in tactics to avoid potential threats to their privacy. Some people routinely ask doctors to record a false diagnosis because they fear their employer may see their health records. Some people withhold information from doctors, for fear of losing control over sensitive information. In psychiatric practices, it is common for patients to ask doctors not to take notes during sessions, fearing the danger that such records, if in the wrong hands, could ruin a job opportunity, harm their reputation, or prevent them from changing insurance companies. Numerous people take the simple -- if costly -- step of paying for medical services out-of-pocket to avoid the creation of insurance records, even though they are entitled to, and have paid for, insurance coverage.

A few insurers have been candid enough to concede that their primary business relationship is with the employer and not the employee/patient. These insurers may be reluctant to disclose individually-identifiable health information if requested by an employer, but they will comply if pressed. Most patients, of course, believe the fiduciary relationship is between themselves and their doctors, and don't realize that a third party with no direct relationship to their medical treatment actually controls the information. It is intolerable to support a system in which an employer's payment of a portion of employees' health care premiums, amounts to employers' unfettered access to employee's health records.

Advances in technology exacerbate the lack of uniform, federal privacy protection for identifiable health information. For example, at the state and local levels, employers, insurers, and health care providers are forming coalitions to develop automated and linked health care systems containing lifetime health histories on millions of Americans. The primary goals of these projects are cost reduction and improved quality of care. State coalitions are attempting to address the privacy, confidentiality, and security of health data by crafting internal guidelines, regulations, and contracts. In addition, in those states where the automation of health care information is seen as a key component of a state's health care reform package, state legislatures and public agencies are attempting to enact legislation that establishes a right of privacy in protected health information. These states are also attempting to design effective enforcement penalties and oversight mechanisms to monitor the information practices of these newly created health data systems.

While some attempts are being made to address privacy concerns, the lack of a comprehensive policy protecting individual's privacy across all health care settings will leave individual privacy vulnerable. The outcome of this piecemeal, state-by-state approach to protecting the privacy and security of health care information will lead to conflict among the states and ultimately set back the overall goal of privacy protection. Relegating the protection of health care information to the states' different guidelines, policies and laws leaves individuals subject to differing degrees of privacy depending on where they receive their health care. In some instances, this means that individuals traveling across county or state lines to receive necessary medical treatment may lose their ability to control how their personal medical information is used. Moreover, states and local governments with different rules governing the use of health care information may be prevented from sharing health care information contained in their systems with neighboring states that insufficiently protect privacy.

Health care records, in both paper and electronic form, deserve privacy protection. But the vulnerability of information to unauthorized access and use grows exponentially as the computer makes possible the instant sharing of information. As a 1992 study by the Workgroup for Electronic Data Interchange (WEDI) pointed out: "The paper medium is cumbersome and expensive...Ironically, it is the negative impact of the paper medium...that has minimized the risk of breaches of confidentiality. Although a breach could occur, if someone gave access to health records or insurance claim forms, the magnitude of the breach was limited by the sheer difficulty of unobtrusively reviewing large numbers of records or claim forms."

Nevertheless, technology itself is not the evil. Information systems can actually be designed to promote the confidentiality and security of personal information. For instance, a well-designed computerized system can more closely guard individual privacy, than paper filing systems. The key is to recognize technology's potential to enhance privacy, not simply to focus on the risks technology poses to undermine privacy. There is widespread agreement among privacy and security experts that protections must be build in on the front-end; it is too difficult and risky to enact them only after a major privacy breach. Privacy and security must regain their own place as cornerstones of the medical relationship. Only then can we achieve the potential for enhancing privacy and security.

III. Principles for a Health Privacy Policy

CDT believes that the following principles for protecting personal health information must be incorporated in any health privacy bill:

Individuals must have the right to see, copy, and amend their own medical records;
Individuals must control the disclosure and use of their personal health information -- rules must be established requiring doctors, insurance companies, and other "health information trustees" to obtain individual consent prior to the use and disclosure of personal health information;
Safeguards must be developed for the use and disclosure of personal health information;
All those who are given access to personal health information must be bound by comprehensive rules that ensure the protection of such information;
A warrant requirement for law enforcement access to peoples' health records must be created; and
Strict civil penalties and criminal sanctions must be imposed for violations of the legislation, and individuals must be given a private right of action against those who mishandle their personal medical information.

Without comprehensive protections such as these, the widespread electronic transmission of records in a framework of piecemeal and incomplete protections, will produce the worst of both worlds -- confusion and red tape for legitimate data users, and debilitating fear and mistrust for people seeking medical care.

IV. Conclusion

CDT believes that the protection of personally identifiable health information is critical to ensuring public trust and confidence in the emerging health information infrastructure. Health care reform cannot move forward without assuring the American public that the highly sensitive personal information contained in their medical records will be protected from abuse and misuse. As the Harris surveys indicate, people are highly suspicious of large scale computerization and believe that their health records are in dire need of privacy protection. If people are expected to embrace and participate in this rapidly changing health environment, the price of their participation must not be the loss of control of sensitive personal information.

Any system that fails to win the public's trust will fail to win the public's support. We risk having individuals withdraw from the full and honest participation in their own health care because they fear losing their privacy. Congress should not allow people to fall through the cracks of the health care system because the privacy of their health information is unprotected. We urge you to move forward with legislation that adequately protects health information privacy.

Footnotes

¹ Last Congress, both the Senate Labor and Human Resources Committee and the Senate Finance Committee approved health privacy bills similar to H.R. 435. The Senate Labor Committee held a hearing on S. 1360, the Medical Records Confidentiality Act, introduced by Senator Robert Bennett (R-UT) and Patrick Leahy (D-VT), and co-sponsored by then-Senator Dole, Senator Kassebaum, Senator Kennedy, Senator Frist, Senator Simon, Senator Hatch, Senator Gregg, Senator Stevens, Senator Jeffords, Senator Kohl, Senator Daschle, and Senator Feingold. The Labor Committee plans to mark-up S. 1360 in the coming months.
² 80 Cornell Law Review 451 (1995).
³ OTA Report, p. 44.
⁴ Matthew Brelis, AIDS Alliance says US Violated Privacy, BOSTON GLOBE, April 3, 1996, at A1, A12; Tamar Lewin, Lawsuit Seeks to Bar U.S. From Access to AIDS Files, N.Y. TIMES, April 3, 1996, at A13.
⁵ Tamar Lewin, Questions of Privacy Roil Arena of Psychotherapy, N.Y. TIMES, May 22, 1996, at A1, D20.
⁶ John Riley, Open Secrets, NEWSDAY, March 31, 1996, at A5 - A33.
⁷ Tamar Lewin, Questions of Privacy Roil Arena of Psychotherapy, N.Y. TIMES, May 22, 1996, at A1, D20.
⁸ Other instances of unauthorized disclosure of protected heath information include: a physician at a large New York City medical school logged onto a computer system, discovered that a nurse was pregnant, and publicized that information. A Colorado medical student sold medical records to attorneys practicing malpractice law. In Jacksonville, Florida, a 13-year old daughter of a hospital clerk went to work with her mother. Left unattended, she accessed the names of patients from her mother's computer and as a prank, called seven patients and told them they had tested positive for AIDS.
⁹ Doe v. Southeastern Pennsylvania Transportation Authority, No. 95-1559, (3d. Cir. filed December 28, 1995).
¹⁰ Id.