Public Citizen | Publications – HRG Comments on S.1360 “The Medical Records Confidentiality Act of 1995” (HRG Publication #1379)

HRG Comments on S.1360 “The Medical Records Confidentiality Act of 1995” (HRG Publication #1379)

PUBLIC CITIZEN’S HEALTH RESEARCH GROUP

Sidney M. Wolfe, M.D., Director and Lauren Dame, Staff Attorney

November 28, 1995

We are submitting these comments to voice our opposition to S. 1360, the “Medical Records Confidentiality Act of 1995.” Under the guise of protecting the confidentiality of medical records, this bill would promote widespread dissemination of personal, private medical information through the establishment and growth of computerized medical records data banks, and broad access to such data banks by a variety users.

Public Citizen’s Health Research Group is a non-profit organization funded by small individual contributions. It was founded in 1971 to fight for the public’s health, and to give consumers more control over decisions that affect their health. Among other things, we conduct research and analyses of data obtained from the government and other sources to produce reports to educate the public about important health care issues. In July 1995, we published the fifth edition of Medical Records: Getting Yours, a consumer handbook providing consumers with information on their rights concerning their medical records: how to get copies of records, how to read and understand the records, and how to get mistakes in the records corrected. In the book, we discuss the various state laws governing medical records, and, given the different levels of protection in different states, we agree that a federal law to protect the confidentiality of medical records and to guarantee patients the right to obtain and correct their records, would be an important step in patient protection. This Act, however, does not provide that needed patient protection. While offering some new confidentiality protection, and providing patients nationwide the right to inspect and copy their medical records, the Act as a whole threatens confidentiality more than it protects it.

The stated purposes of this Act are (1) to establish strong and effective mechanisms to protect the privacy of persons with respect to personally identifiable health care information and (2) to promote the efficiency and security of the health information infrastructure so that members of the health community may more effectively exchange and transfer health information. While the bill is entitled the “Medical Records Confidentiality Act,” the overall thrust of the bill is to enhance the establishment of medical records data banks and to facilitate the exchange of medical records data among a wide group of users, to the detriment of patient confidentiality, and often without patient consent.

A basic flaw in this bill is its failure to deal directly with one of the most important issues relating to medical records today — the effect of technological advances — both in medicine, and in information technology.

Technological advances in medicine, such as new genetic tests, have expanded the range of information to be found in patients’ medical records. With some genetic tests, a person’s medical records may contain not only information about their past and current health, but also may contain information about their future health potential — sensitive information that may be used by employers, insurance companies and others to discriminate against the patient based on something that has not yet even occurred.

Advances in information technology, particularly the computerization of medical records, and the ease with which computerized records may be accumulated, analyzed, searched and shared among widely dispersed users, raise critical confidentiality concerns. Today’s changes in the manner of medical record storage from an old, paper-based system, located in a physician’s office, to a modern computerized, “medical records data bank” kept by managed care organizations, insurers, and third parties, means that more privacy protection for medical records is needed than ever before. In spite of the fact that the computerization of medical records is a key threat to confidentiality, the bill does not even mention computers, and only obliquely refers to medical records databanks — a large threat to patient privacy and confidentiality — by using the term “Health Information Service.”

In addition to the Act’s failure to provide sufficient privacy protection for medical records in the age of computers, the Act also legalizes the widespread use of individually-identifiable patient information, without consent, by a variety of users, including health authorities, health researchers, law enforcement officials, and courts or other parties in lawsuits in which a party’s health has been placed in issue. It is difficult to imagine the reasons that such broad access to private patient data is required. Indeed, for much research and analysis of health care issues, aggregate data from which patient identifiers have been removed can provide more than adequate information. Yet, for purposes unexplained except by the most general of terms, such as “public health surveillance” or “public health investigation” or health “research project” by a health researcher, this Act would make available patient medical records without obtaining the consent of the patients involved.

Provisions of the bill that are particularly problematic include:

Section 207, which provides for disclosure of protected health information with personal identifiers to “health oversight agencies,” without limitation on the scope of information disclosed, and with “health oversight agency” being broadly defined as to include agencies engaged in licensing, accreditation or certification of health care providers, or public agencies dealing with compliance with legal, fiscal, medical, or scientific standards relating to the delivery of health care or health care fraud.

Section 208, which provides for disclosure of protected health information to public health authorities for use in legally authorized public health surveillance or investigation, without any requirement that the public health authorities demonstrate that personal identifiers are necessary.

Section 209, which provides for disclosure of protected health information, containing personal identifiers, to a health care researcher if a certified institutional review board determines that the information is required for the project, and of sufficient importance to outweigh the intrusion into the privacy of the individual. Thus, personal medical information may be disclosed to thousands of researchers, graduate students, and others, without the patient’s consent or desire to participate in the research, and with the only protection offered being the judgment of an institutional review board — one located in the same institution as the would-be researchers, and likely to share the researchers’ values concerning the importance of research at the expense of personal privacy.

Section 212, which provides for the disclosure of protected health information containing personal identifiers to government authorities for a “law enforcement inquiry,” — broadly defined as a violation of, or failure to comply with, any criminal or civil statute, regulation, rule or order issued pursuant to such a statute.

These provisions are but a few examples of the broad disclosure of personal medical information permitted by this Act.

In conclusion, we wish to reiterate our opposition to the Medical Confidentiality Act of 1995. While we support the idea of a federal law to protect medical records, and applaud the sponsors of this bill for raising the issue of medical records confidentiality at a time when it is increasingly threatened by advances in computer technology, this bill fails to live up to its name, and fails to adequately protect the sensitive information contained in all of our medical records.