Medicare's OASIS home health data collection system

Outcome and Assessment Information System Privacy Notice


Division of Data Liaison and Distribution
Health Care Financing Administration
Room N2-04-27
7500 Security Boulevard
Baltimore, Maryland 21244-1850
RE: DOCID: fr18jn99-121
  Notice of new system of records
Dear Sir or Madam:
At your request written in the June 18, 1999 notice, we are submitting comments on the proposed new system of records titled 'Home Health Agency Outcome and Assessment Information Set, HHS/HCFA/CMSO, 09-70-9002.' We will make comments in general and specifically regarding the proposed 'routine use' portion of the system of records.
Citizens' Council on Health Care is a St. Paul, Minnesota - based national 501(c)3 organization whose mission is to engage and empower the public in the health care debate through sharing of information, policy analysis, and alternatives.
We will make our comments in order of each section of the notice:
We do not support a waiver of the 40-day advance notice period for this system of records. The public is not fully aware of the OASIS system and should receive a full, if not expanded, period for comments.
The Glossary of Terms limits the list of identifiers to patient's name, social security number, Medicare number and Medicaid number. This list should be expanded to include address, city, state, zip code, date of birth, age, sex, and any other personal or medical records identification numbers. Given the nature of the questionnaire, the names of the clinic, health plan, doctor, high school, college, and identifying information of relatives should be included as identifying information that is masked or deleted. Cross matching of data to identify a person can be done without a name or a social security number if other demographic and historical identifiers remain. NOTE: It is not lawful for the government to ask for a social security number without Congressional approval.
The list of OASIS information should not include the additional identifiers that we have listed above.
The notice's definition of non-identifiable information is a misnomer. The notice itself validates this. Under III 'Proposed Routine Use Disclosures' the agency recognizes the possibility of identification saying "...our policy will be to prohibit release even of non-identifiable data, beyond the seven listed categories, if there is a possibility that an individual can be identified through implicit deduction..." Clearly, by HCFA's own admission, the masking of the four identifiers will not protect patient privacy or prevent individual identification.
Our reading of Section 1891 of the Social Security Act does not require the completion of a standard, valid, patient assessment data set for every patient, nor does it permit HHA to perform the assessment if there is no patient consent. Instead it stated that a sample of individual shall be surveyed, but only with the consent of these individuals. Also, HCFA's interpretation of the word 'individual' to include non-Medicare and non-Medicaid patient appears overreaching.
The notice states that OASIS is the "backbone of the home health prospective payment system" for Medicare and Medicaid, and while HCFA may choose to use OASIS to determine appropriate payments for the subsidized population, there is no obligation on the part of private patients to contribute to the database. Yet, OASIS regulations seek to collect data on all patients in the home health system. There is no statutory basis for coercion of non-subsidized patients into the federal data collection process. In fact, the Fourth Amendment prohibits such collection without patient consent.
It is a clear overstepping of federal law for HCFA to claim an obligation for "ensuring HHAs are providing the highest quality of care for the entire agency and for each individual patient." HCFA's responsibility is for the subsidized patient. You have stated that home health care is difficult to oversee because services are in the home. This may be true, however, this does not bestow upon HCFA the power to invade the privacy and the patient-practitioner relationship of those for whom HCFA does not provide funding for home health services. HCFA's access to information should be limited to "monitor[ing] the quality of care it purchases for its beneficiaries" as stated in your final statement of this section.
As we understand the purpose of this notice, HCFA is alerting the public to OASIS' impact on privacy and giving the public an opportunity to comment. In addition, it is stating to whom the OASIS information will be given. Accordingly, the notice states that the Privacy Act "permits us to disclose information without an individual's consent if the information is to be used for a purpose which is compatible with the purpose(s) for which the information was collected" and that such disclosures are known as 'routine use.'
Given that the purported purpose of OASIS exceeds federal statute, we believe that the privacy notice is based on a faulty foundation. Therefore, unless the information is collected solely from consenting Medicare and Medicaid patients who receive a subsidy to pay for their home health services, and solely to a sample of those patients, the OASIS data set and collection system should not receive a seal of approval through the Privacy Act of 1974.
While the notice states that 'only' seven entities are slated to receive routine use disclosures of OASIS data, the seven entities listed are broad categories which present a number of concerns to both subsidized and private patients.
Government Access: You have granted access to any agency or employee of the United States Government or the Department of Justice, or any court or adjudicatory body if these entities are a party to litigation or 'have an interest in such litigation.' This is broad, allows extensive intrusion by federal officials, may place the patient at a disadvantage in litigation, and does not follow Fourth Amendment restrictions, particularly for those whose health care services are not subsidized by the Government. In addition, we are not certain that entitlement programs completely void Constitutional protections for individuals, particularly if the individuals have no choice but to accept the entitlement as in the case of Medicare.
Government Contracts: Since you would permit anyone with a contractual agreement with HCFA to access OASIS data without consent, this opens up access under any number of functions, to any number of people, which cannot be fully understood or appreciated by the public. One assumes that payment operations, outcomes research, fraud investigations, quality assessments, peer review, data warehousing, tracking, statistics, and other functions would be included. This would substantially increase the number of individuals with unfettered access to personal and medical data, including private, for-profit, and not-for-profit organizations and foundations.
State Agencies: State officials would be granted access to information for state government oversight of patient care, including data on patients who are residents of the state, but receive care outside the borders of the state. The effect of this tracking system is to completely prohibit privacy. No patient will be allowed to privately receive home health services in or outside his state of residence without the state government being informed. This violates the Fourth Amendment.
Agencies Administering Subsidized Health Care: For purposes of evaluating and performing payment, treatment and coverage functions of Medicare and Medicaid, this disclosure of OASIS data solely on Medicare and Medicaid patients appears the most appropriate. In the evaluation and monitoring of care provided by HHAs, the information disclosed should be limited to the subsidized population.
Peer Review Organization: As previously stated, the monitoring of care should be limited to information on subsidized populations. HCFA presumes responsibility that is not theirs when it seeks to access and use data on all home health patients for a summary report "about the nation's home health care for release to beneficiaries."
Research: As Minnesota legislators demonstrated in a 1996 medical records law, researchers should not have unlimited unconsented access to medical records. They must ask the patients for consent. Yet this routine use would allow individuals, health plans, insurance companies, pharmaceutical organizations, non-profit groups, foundations, and others to access individual psychological, behavioral, health, relational, medical, and educational data without consent.
This invasion of privacy will skew the very research conducted. It will permit faulty research conclusions and the formulation of inaccurate and inappropriate policy as a result. It has recently been reported in a California Healthcare Foundation survey that patients already alter or withhold information from providers to protect their privacy.
It should be noted here that researchers will not know which information is supplied by the patient and which--when the patient refuses to respond--is filled in by a therapist according to their best professional judgment and observation. Accuracy will be sadly lacking and the possibility of professional or institutional bias rampant. The potential for increased federal matching funds, increased reimbursement, or research funding may affect the providers response for each section of the questionnaire. The patient may find himself as a pawn in pursuit of HCFA funding; a pawn that may experience insurance or employment discrimination as a result of faulty information permanently recorded on a federal database.
In section VI 'Effect of the Proposed System...' HCFA makes it clear that inaccurate data "could result in the wrong reimbursement for services and a less effective process for assuring quality of services." Yet in the notice for a revised regulation of OASIS, HCFA allows professionals to enter data that fits their professional judgment and allows patients to refuse to respond. One assumes that inaccuracy will abound because of the inherent privacy invasion of the OASIS system and the obvious distortions of professional opinion.
In addition, since financial information will continue to be collected and encoded at the HHA level, future regulations or law may attempt to include that data at the federal level as well.
Congressional Access: Access should be limited by the constituent and given only to a Member of Congress with a specific and limited consent received by HCFA from the constituent. It is entirely possible that a Member of Congress could send a letter to HCFA about a constituent that the Member is merely seeking information on, including a potential political opponent. The constituent may also not want the Member to know other medical, psychological, relational details about his life that may be included in whatever data HCFA officials might decide is 'sufficient.'
One short note. Clearly security is difficult for government agencies to achieve. The IRS has been twice cited for unauthorized employee access to data on U.S. citizens. It is doubtful that HCFA would be able to limit or control access with any greater success. In addition, encrypted information in not unidentifiable. The identifiers remain attached and decryption keys can be used to identify the information. If the keys are escrowed by the government or a public-private partnership with the government, the information can be decrypted without the knowledge of anyone affected. The records are not secure just because they are encrypted. As stated in the CDC handout titled Summary of Fifteen Key Action Steps: Confidentiality, Community Immunization Registries Manual, Chapter II: Confidentiality, January 28, 1997: "Recognize that absolute protection of electronically stored data on individuals from inappropriate disclosure or abuse is not possible. The only data that cannot be disclosed is that which is never collected."
That HCFA "anticipates no adverse effect on any of these [individual privacy or other personal or property] rights" and "does not anticipate an unfavorable effect on individual privacy as a result of the disclosure of information relating to individuals" is decidedly presumptuous. OASIS is in and of itself a violation of privacy rights, an unauthorized access to personal information on citizens by the government.
In addition, the criminal penalties cited for unauthorized access must first be proven--an expensive proposition for individuals. These penalties have obviously not stopped IRS employees from unauthorized access and will likely not stop HCFA employees either. There is potential as well for secondary disclosure by the seven entities, and the language for imposition of penalties does not appear to include Members of Congress or those entities accessing information for peer review or research.
Thank you for your consideration of our comments. You may contact our office with questions at any time.
Twila Brase, R.N., P.H.N.






Media Contact:

Twila Brase, President and Co-founder
Office: 651-646-8935