Two Home Health Nurses Sound Alarm

Two New Laws Erode Privacy of Medical Records for All Home Health Patients Regardless of Insurance Coverage

January 25, 1999
Letter to Citizens' Council on Health Care

New laws will soon become effective that pose an immediate and massive threat

to medical records privacy - unprecedented in scope, breadth, depth, and
specificity. Detailed highly personal health care information will be stored
in state and federal government computerized databases in patient identifiable
form - comprehensive personal health information that should only be shared
privately between patients and their immediate health care providers.
On January 25, 1999, two new federal regulations were published in the Federal
Register that revises the HCFA "Conditions of Participation" (COP) for Home
Health Agencies (42 CFR Parts 484 and 488). The first regulation
(HCFA-3007-F) was published as a final rule, effective 2/24/99. It authorizes
the Secretary of the Department of Health and Human Services to require that
each patient receives from any home health agency (HHA) participating in the
Medicare programs, a comprehensive assessment at specific time points during
their home health services. The rule requires the use of a standard
assessment data set named the "Outcome and Assessment Information Set"
(OASIS). The second regulation (HCFA-3006-IFC) was published as an "Interim
final rule with comment period." This regulation requires HHAs to
electronically transmit OASIS data collected to the state Department of Health
Services (DHS) effective 4/26/99. Further, section 488.68(a) requires the
state DHS to store and analyze the data in a database system and (b) make
available to HCFA all OASIS records received on a monthly basis. HCFA "will
electronically retrieve OASIS data from the HCFA standard State system into a
central repository at HCFA for analysis."
There are two purposes for these new regulations:
1) Establish a prospective payment system (required by Balance Budget Act of
1997) using reliable outcome and case-mix adjustment data; and
2) Achieve broad-based, measurable improvement in the quality of care
furnished through Federal programs.
The 105 item OASIS data set was developed, tested, and refined for the past 10
years through research conducted by the Center for Health Services and Policy
Research at the University of Colorado and funded largely by HCFA, the Robert
Wood Johnson Foundation, and more recently, New York State. The OASIS items
were designed for the purpose of enabling the rigorous and systematic
measurement of patient home health care outcomes, with appropriate adjustment
for patient risk factors affecting those outcomes.
The HCFA regulations require collection of OASIS data items on all non-
maternity patients age 18 and over that receive health services from Medicare-
certified home health agencies, regardless of payment source. OASIS must be
collected on all patients upon HHA admission, discharge, and certain other
episodic and periodic time points. The complete OASIS assessments must be
electronically transmitted monthly to the state DHS for storage in an
electronic database and then sent to HCFA by the DHS. OASIS data must be
collected and transmitted to the government even on patients whoâs home health
care is NOT being funded by a government program e.g. patients that private
pay or care through employer-sponsored benefit programs.
The OASIS assessment contains patient-identifying data (i.e. the patientâs
full name, date of birth, Social Security, Medicare, and Medicaid numbers) and
over 80 personal and clinical items. All OASIS items - the patient
identifying data linked with personal and clinical data - must be
electronically transmitted to the state DHS. The computerized databases that
the state DHS and HCFA maintain will, therefore, contain patient-identifiable
clinical diagnoses, assessments, and observations. We have grave concerns
about the storage and availability of the OASIS patient identifiable health
information in government databases.
The 80+ questions require detailed and precise answers about the sensitive
areas of:
· Medical diagnoses (including ICD-9 codes) and health history;
· Treatments and medications;
· Life expectancy;
· Risk factors (e.g. obesity, smoking, alcohol and drug dependencies);
· Conditions such as sores, ulcers, urinary and bowel status/habits, pain;
· Ability to perform personal care functions (including bathing and
· Cognitive and behavioral observations (e.g. confusion, agitation, socially
inappropriate behavior, poor judgment, etc.)
· Psychological status (e.g. coping, anxiety, suicidal tendencies, etc.);
· Financial factors; and
· Home situation (who the patient lives with and ratings of their dwelling).
There are no provisions in the published rules either (1)requiring the
patientâs knowledge or consent to have their identifiable personal and
clinical information sent to the state DHS and HCFA or (2)specifying the
consequences (if any) of a patient refusing to give consent for broad and
open-ended medical records release and storing of identifiable information of
this type.
The fine points of individual patient's private lives will be cataloged
electronically by the government in patient identifiable form - breaching the
confidential physician-patient relationship and leaving their privacy in
jeopardy of invasion.
The two reasons for these new regulations are worthy and desperately needed.
The intent can be easily met, however, without including patient identifiable
data linked with the clinical assessments.
Section 4602(e) of the BBA of 1997 authorizes the Secretary "to require that
HHAs submit any information that the Secretary considers necessary to develop
a reliable case mix system."
We take a strong position that patient identifiable information is NOT
necessary to develop a case mix system or for outcome based quality
improvement. We urge that all of the OASIS assessments be reported to the
state DHS and HCFA without patient identifying data. Aggregate clinical data
would allow DHS and HCFA to totally accomplish the purposes of the new
regulations and protect patientsâ right to privacy and confidentiality with
their health care providers. The OASIS assessments could be coded (without
direct patient identifying information) to identify subsequent assessments for
the same patient. The HHAs could be mandated to maintain a system that
enables the agencies to trace and provide the specific OASIS assessments and
medical records at the request of a state DHS or HCFA representative when
needed for audits or surveys (e.g. concerns about data quality, investigation
of fraud and abuse, etc.).
There is absolutely no reason to have patient identifiers linked to detailed
clinical assessments and transmitted to the state DHS and HCFA for meeting the
necessary purposes of the two new regulations.
Marian Callahan RN, PHN, BSN
El Cajon, California
Training and Education Coordinator, Medicare-certified Home Health and Hospice
19 years clinical and administrative experience in public health, home health,
and hospice.
Jan Anderson RN, PHN, BSN
Escondido, California
14 years clinical, supervisory, and administrative experience in Medicare-
certified home health