Articles/Letters Published • Jan 2001 • Medical Records • Patient Privacy

Public Health Rails Against Patient Privacy

Published by the Texas Society for Psychiatric Physicians Newsletter Dec/Jan 2001

Shortened variation of speech presented to the Texas Medical Association annual meeting 5/26/00.

President
Citizens' Council on Health Care


Although privacy at all levels is a pressing issue in Congress, mighty forces are striking against preserving the right of privacy for patient medical records.

The public emphatically supports the right of patient privacy. A 1993 Harris poll found that 97% of respondents believed in the importance of protecting the confidentiality of individual medical records, with 36% classifying such protection as "absolutely essential." Patients know that inappropriate or malicious use of medical information can be devastating: marriages shattered, jobs lost, insurance denied, political campaigns crushed.

Yet despite the public's concern, there is an enormous push at the state and federal government level to make the patient's medical record an open book&emdash;preferably an online open book. Although federal officials expound repeatedly on the importance of privacy, their definition of privacy obviously begins in the government cubicle, not in the doctor's exam room.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), ushering in mandates for electronic processing of medical record information. Therefore, Congress mandated themselves to pass medical privacy legislation by August 1999. When they failed to meet the deadline, Secretary Donna Shalala of the Department of Health and Human Services wrote regulations ostensibly to protect medical privacy but doing nothing of the sort. Her department, using the key words of "public health," "public interest" and "public goals," took the opportunity to use regulatory power to dismiss patient consent and confidentiality under the guise new department-generated public health "priorities." For example, in the proposed regulations published November 3, 1999 she wrote:

"The disclosures we propose to allow in this rule are...necessary for smooth operation of the health care system and for promoting key public goals such as research, public health, and law enforcement. Any limitation on such disclosures could do more harm than good."

Such disclosures would not only be permitted. They would have federal authorization and protection. The regulations make it clear that these disclosures by doctors and hospitals are not mandatory, however, the permissibility will increase disclosures and weaken ethical objections. In fact, non-disclosure to government officials may be seen as reason enough to initiate a federal fraud investigation, an expensive proceeding every practitioner wishes to avoid. Simply put, professional and ethical responsibility to patients may come in conflict with financial interests.

Government health officials clearly intend to use public health as a tool to pry open the medical record. While they acknowledge that individuals "have an interest in maintaining the privacy of [their] information" they reject patient consent outright asserting that "many important public health activities would not be possible if individual authorization were required."

This follows the tenor of Shalala's shockingly frank September 1997 recommendations. After a sweeping acknowledgment of the "age old right" of patient privacy, she announced the creation of new national priorities which would open medical records to countless outsiders without patient consent.

Secretary Shalala wrote, "Individuals' claims to privacy must be balanced by their public responsibility to contribute to the common good, through use of their information for important socially useful purposes..." She then recommended that Congress "authorize disclosure of health information without explicit patient consent for four national priority activities" including oversight of the health care system, health research, public health and emergencies which affect life and safety, and a fourth broad category of other laws or court orders, including access for law enforcement and state health data systems.

According to a 1988 definition put out by the Institute of Medicine, the mission of public health is to "fulfill society's interest in assuring conditions in which people can be healthy."

Public health obligations once centered around safe food, safe water, and eradication of communicable diseases. However, because the Institute's definition of public health is so broad, it virtually invites state and federal intrusion in citizen lives. Every breath breathed and every action taken impacts health. Whether we drink pop or bottled water counts. Whether we act on stage or jump out of planes changes our risk. Who we know, how many hours we work, and whether we have children all affect our physical and emotional health. Our health is always on the line.

The question citizens need to ask is this: Do public health officials have the right, or should they be given the authority, to use the natural risks, problems, behaviors and medical conditions of life as a license to put citizens under state surveillance? This is a timely question because the ability to conduct detailed surveillance on civilians has expanded with the development of electronic data systems and the Internet.

Consider the OASIS home health data collection system. OASIS was created by federal officials who used regulations to expand federal legislation to suit their own desires, much as they intend to do with the medical privacy regulations. Legislation enacted in 1986 authorized the Department of Health and Human Services to measure the quality of home health services by surveying a sample of home health patients&emdash;but only with their consent.

Instead, the final OASIS regulation published in 1999 forced the collection of financial, behavioral, medical, psychological, educational, demographic, housing and relationship information on most non-maternity adult home health patients&emdash;all without consent. This includes patients who pay with cash, have private insurance or are on a government program. Patients can refuse to answer the 19-page questionnaire, but the home health nurse or physical therapist must complete the questions with an educated guess. The information is then sent to a State agency where it is transmitted electronically to the Federal government for permanent accumulation and for "routine use" by several approved entities including researchers.

Home health agencies serving Medicare patients cannot refuse to comply. The Administration made provider compliance a condition of participation in Medicare. If they want reimbursement, agencies must report on their patients to the government.

These onerous data collection efforts are not limited to the federal government. Without consent and under the guise of public health, state public health departments are entering children on electronic immunization registries and birth defect registries. Few consider the fact that these registered children will grow up, turning immunization registries of children into government inventories of citizens. All citizens, not just children. And alongside this comprehensive directory of citizens will be a registry of so-called defective citizens.

But public health officials want still more data. They want complete access to the medical record of every citizen, a goal only achievable through trackable, linkable electronic medical records which are the modus operandi of HMOs. Thus, according to a lengthy 1997 publication out of the Center for Disease Control and Prevention's (CDC's) National Center for Chronic Disease Prevention and Health Promotion ("the Center" ), managed care has become essential to the public health agendas of state and federal agencies.

In the CDC publication called, "Public Health and Managed Care: Data Sharing for Common Goals," Betsy Thompson, the Center's Medical Epidemiologist and Managed Care Coordinator, says, "CDC's involvement with managed care...does signify our understanding that this is an unprecedented opportunity to have access to the general population for intervention research, improvement of health care delivery, and disease prevention and health promotion activities."

Stop for one minute and reflect on that statement. This is a government official speaking. The desire here is to get access to the private public. The everyday, tax-paying, self-supporting citizen. Not just those receiving government health care services.

Public-private partnerships between government agencies and managed care are key to this access. Enrollment in a managed care plan usually requires enrollees to sign a blanket consent. The plan is thus authorized to access the patient's medical records at virtually any time for any purpose for anyone they choose. This includes the government. Even the proposed medical privacy regulations state that public health activities depend on "resources such as HMO claims databases and medical records." To share data between managed care and public health, Dr. Gail Janes of the CDC suggests that private health plans combine their clinical data with data from public health registries, and public health departments use physician data to build high level population-based databases. In addition, she says public health agencies could improve surveillance by collecting data automatically at the point of care.

Automatic collection by government agencies clearly requires online medical records and unique identifiers. This explains Dr. Janes enthusiasm over HIPAA's requirement that patients, providers, employers, and health plans be uniquely identified by a single number. She notes that, "Unique identifiers will... facilitate linkage of data into comprehensive, longitudinal records, which span time and varied points of service."

In other words, if you're in a managed care plan, or if you have an electronic or online medical record, there will be little protection from state surveillance. Managed care organizations hold large groups of captive patients, captive doctors and captive data. Becoming a subject of government monitoring and research may no longer be an option for patients.

Unfortunately, the emphasis of public health and managed care centers on populations, not patients. Therefore, privacy rights and professional ethics are treated more as obstacles than assets.

However good-intentioned this population-based thinking may be, it will prove devastating to the health care system and the patient-doctor relationship which is so critical to good patient care. According to a 1999 California Healthcare Foundation survey, 15% of 1000 survey respondents already engage in evasive action to protect their medical privacy.

Just knowing that government officials and their researchers have come uninvited into the exam room will shatter the increasingly fragile integrity of our medical system. Patients may delay seeking medical care. Incomplete information may lead to incorrect diagnoses and ineffective care. And worst of all, clinics will no longer be confidential, just-between-you-and-me havens for people in need. They will become opportunistic research laboratories for government peep squads.

Given historical precedent, public health officials are probably hopeful, maybe even tentatively celebrating. Regulations tend to take on the rule of law no matter how much public opposition exists. Unfortunately, even Congress can't be counted on to step in and save privacy. Many so-called medical privacy bills introduced in 1999 would have opened medical records as wide as Shalala's regulations.

Clearly, public health officials and members of Congress have forgotten who the health care system is for. It's for patients. The frail grandma down the block, the shy girl with anorexia, the baby with twinkling eyes and two club feet, and the politician with a life-threatening disease. These patients, like all patients, want only two things from their health care system. Care and confidentiality.

Policy makers and public officials need to remember this one thing: when the health care system does not work for individual patients, it does not work. If public health officials insist on opening the medical record to prying eyes, they will have bigger problems than imperfect immunization compliance. A distrusted, dysfunctional health care system could become the most serious risk to the public's health that this country has ever faced. That's what public health officials should be worrying about.