Medical Privacy Panel Discussion
National Press Club

Speech by Twila Brase, R.N., P.H.N.
President, CCHC

Since the arrival of the information age, the growth of managed care, and the advance of computer technology, corporate and government interests threaten to completely dismantle the doctor's and the patient's right to protect confidential medical information from disclosure, misuse, abuse, and profiteering. If continued, such intrusiveness will exact a hefty price in quality of care.
I'd like to encourage you to think like a patient during my presentation. In the not too distant past a flimsy gown with two ties too few defined patient vulnerability to embarrassing exposure at the doctor's office. But now patients fear outside assessment of their daily habits and their innermost thoughts. They fear discrimination by diagnosis. And they worry that their data will be used against them by power brokers who increasing control the practice of the doctors they need.
This fear of patients is not imaginary. A recent California HealthCare Foundation survey found that while 61% of the respondents say they trust doctors and hospitals to keep information confidential, only "a third" trust health plans (35%) and government programs (33%) to do the same. Many had already protected their privacy by paying cash, foregoing care, or falsifying information.
Today, I will limit my remarks to the implications of the May 21st draft mark of the Health Infromation Confidentiality Act of 1999. I will also cover the requirements of HHS if a bill is not passed, and finally, I will outline the contents of a real medical confidentiality bill.
Let me begin with the chairman's mark due for discussion June 15th. What is perhaps so striking about this confidentiality bill is the lack of confidentiality protection provided by it. In fact, I would go so far as to say that this bill is nothing more than a federal license to intrude. That being said, let me address just seven of our many concerns:
First, the draft mark grants unprecedented new federal authority and immunity for access to medical records without consent. The previous liability concerns of employers, government officials, researchers, and law enforcement agents have virtually been eliminated.
Second, against current national research protocol, patients en masse would become unconsenting research subjects. Health care corporations and self-insured businesses would have unfettered access to records under "health care operations." And State officials, under public health directives, would no longer need permission before making unconsented forays into patient records and placing citizens on disease-specific and other databases. The inevitable outcome of such patent disregard for patients will be avoidance of care and skewed research data from patients who intentionally distort information to protect themselves or to spite the system. This may lead to higher health care costs and harmful or ineffective research recommendations for medical care along with a general distrust of research results.
Deputizing and making government reporters out of private physicians is our third concern. Doctors and other health care professionals will be forced, under threat of financial or licensing penalties, to report on their patients to government officials, law enforcement agencies, and almost anyone else who asks. The sacred contract between patient and doctor is about to be shelved. Patients who should be free to fully disclose in confidence may be forced to place obstacles in the way of their own care.
Patient reticence was acknowledged in a January Joint Commission on Accreditation of Healthcare Organizations and National Committee for Quality Assurance report on protecting privacy in managed care.The report began by affirming that "One of the touchstones of our health system is the deep trust that patients place in their providers." But then it warned that "concerns about confidentiality of personal health information seriously threaten the quality of health care." Clearly this bill puts the long and short term health of patients at risk. Patients should never be required to choose between care and privacy.
Fourth on our list of concerns is the potential for patient tracking and data collection efforts to escalate in a furious competition for funding. There may be no end to the creation and advertising of databases purporting to contain the latest and greatest patient socioeconomic and health histories for consideration of NIH and other research grants. Additionally, newly empowered State officials under the guise of "public health" may be tempted to expand their profiling capabilities by creating databases on everything from community service and parenting skills to gun ownership and risk-seeking behaviors.
Fifth, the chairman's mark requires a single "consolidated" consent for payment, treatment, and health care operations, which includes patient profiling, prior authorization, utilization review, and outcomes research - all tools of the managed care industry. This is a consent of coercion, which is no consent at all. Unless the potential enrollees are willing to sign on the dotted line they and their families cannot be enrolled in insurance in or outside of their employment. To gather information on those who are uninsured or pay cash, health care providers would also be required to get a signed authorization prior to treatment from anyone who did not present with an insurance card. This precludes the right to anonymity and self-protection, especially for those who need it for mental health care and sensitive medical conditions.
One section does allow a disclosure exemption for cash-paying patients but the section that follows it seems to void that very exemption. For the sake of argument, let's say that patients who pay cash for care are granted protection of confidentiality. In itself this creates a new problem: a two-tier system for medical confidentiality. The confidential patient-doctor relationship will be available only to those who can afford it. Everyone else's records will be up for grabs by those who hold them, pay for them, or claim a right to them, none of which is the patient.
Lining up as our sixth concern is access by law enforcement officials. A letter from the AMerican Medical Association to the chairman called it "nothing short of breathtaking." Besides subpoenas and court orders, any warrant or self-described emergency can open the doctor's file cabinet to the police, with little protection against fishing expeditions. At the request of law enforcement, doctors must provide name, address, social security number, date of bierth and time and dates of treatment of individuals wanted for questioning. In addition, government inspectors are given unlimited access to medical records for oversight functions.
Finally, this draft preempts most state medical confidentiality laws. Although some are allowed to stand, once the federal law passes, no State legislature can pass more restrictive legislation than the federal law, which if passed in its present state is anything but restrictive. In essence, this prohibits state legislators from protecting their constituents against the many privacy violations contained in the chairman's mark.
While the California study found 85% of the respondents supportive of federal legislation to protect privacy, I am sure they did not have an open season on medical records in mind. We all know what privacy is. It is shutting the door and placing a security system before the entrance. Yet Congress appears to be handing out keys and crowbars, not locks. To continue to label any bill resembling this draft a medical confidentiality bill borders on fraudulant. According to the dictionary, fraud is a deliberate deception practiced to deprive someone of their property or rights. No American should be lulled into believing that their right to privacy is about to be protected when in fact it could be stripped away.
Congress has until August 21 of this year to either pass a medical confidentiality bill, push the date back to give themselves more time to do the right thing, or allow HHS Secretary Donna Shalala to administratively enact privacy standards by February of next year. President Clinton in his May 4th speech declared that "one way or the other," the Administration will protect the privacy of medical records this year.
Unfortunately, this proclamation does not mitigate the fears of those of us long involved with the issue. On one hand we have the draft of a confidentiality bill that does the opposite of what it claims. On the other, we have a Cabinet member, Secretary Shalala, who has publicly testified that a person's "claim" to privacy must be balanced by a new public responsibility to open one's medical records without consent for four national priorities as defined by HHS. These include health care system oversight, public health, health research, and a miscellaneous category including law enforcement, state health data systems, and court proceedings.
Either option violates the Fourth Amendment, the Hippocratic Oath, the Federal Privacy Act, medical ethics, and common decency.
OASIS, the new, but temporarily suspended, health data collection system, provides a sobering example of the HHS mindset. This system, if implemented, would mandate collection of personal, relational, financial, educational, behavioral, psychological and medical information on every person unlucky enough to need home health services. OASIS is now under revision because, in the the wake of public outcry, as unlikely as it seems, HHS officials discovered that they had somehow forgotten to follow the Paperwork Reduction Act and the Privacy Act.

If Congress wants to pass a real patient confidentiality bill, they must turn a blind eye to corporate, government surveillance, and profiteering interests. The patient and the health of the medical system should take center stage. To protect the right to MEDICAL PRIVACY, voluntary, informed written consent is essential. Access must be limited to claims information for a defined time period, rather than access to the whole medical record for life. Exchange of data without consent should be allowed only for information which is completely deidentified and unidentifiable.
Patients should have a right to paper records, a right to pay cash, a right to refuse a smart card, and a right to a different non-standard patient identification number for each clinic setting. The 1974 Federal Privacy Act, which has ironically allowed 27 new uses of the Social Security number since it was enacted to limit use of the Social Security number, should specifically state that the Social Security number may not be used for insurance or medical care.
Further protections would include no redisclosure of medical information without additional consent and no blanket immunity from liability. Penalties for unconsented access and release should be severe. The current draft's $500 - $10,000 penalties are mere slaps on the wrist for multi-billion dollar companies striving for the money and power patient data can buy.
For law enforcement purposes, access should not be granted without a court order and sufficient proof of need. And finally, there should be no preemption clause. Congress should acknowledge the Tenth Amendment right of state legislators to govern and protect their own constituents.
Minnesota has led the way with one of the best medical record privacy laws in the nation. Legislators concerned with unlimited access of medical researchers to patient records mandated patient consent in 1996. Medical institutions like Mayo Clinic, United HealthCare and the University of Minnesota were put on notice. They must ask permission. Any confidentiality bill should not jeopardize this hard-won success for patient rights.
Medical confidentiality has an additional benefit not yet realized by most citizens. Because a right to privacy can hamper the HMO manager's ability to use a patient's own information against them in health care denials, medical confidentiality is critical to patient protection in the managed care setting.
In this debate over privacy, we must remember that there are patients who desperately need confidential medical care and doctors who have taken an oath to provide it. This bill could force conscientious law-abiding patients and doctors to become a new brand of health care criminal. We should think long and hard before we take this step toward patient coercion, corporate profiteering, and government surveillance. Congress must never bow to outside interests at the expense of patient care and individual rights.
Let me conclude with a quote that correlates well to the issue before us. In a 1966 dissent regarding government wiretapping, Justice William O'Douglas wrote:
"The time may come when no one can be sure whether his words are being recorded for use at some future time; when everyone will fear that his most secret thoughts are no longer his own, but belong to the Government; when the most confidential and intimate conversations are always open to eager, prying ears. When that time comes, privacy, and with it liberty, will be gone. If a man's privacy can be invaded at will, who can say he's free?"
Thank you.