February 7, 2000
U. S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Hubert H. Humphrey Building
200 Independence Avenue SW
Washington, D. C. 20201
On behalf of the National Committee on Vital and Health Statistics (NCVHS), I am pleased to forward to you our recommendations on the notice of proposed rule-making for standards for privacy of individually identifiable health information. The NCVHS congratulates the Department for the solid work done in drafting this notice of proposed rule-making. The NCVHS is also pleased that many of its recommendations on health information privacy in its June 1997 report have been incorporated into the proposed rule.
While the scope of the proposed rule addresses many health information privacy issues, it should be noted that there is still a need for anti-discrimination legislation. The NCVHS previously urged the Secretary to propose legislation expanding the anti-discrimination provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to cover all aspects of discrimination based on health status and condition.
While the proposed rule meets the requirements of HIPAA, the NCVHS strongly believes that there is a need for comprehensive federal legislation to address the privacy of individually identifiable health information. The proposed rule is limited in scope and does not cover all records or all entities with access to individually identifiable health information.
The NCVHS agrees that the scope of the rule should be extended to all individually identifiable health information, including purely paper records. The privacy regulations should be uniform across all forms of identifiable health information and across all holders of such information. Having uniform regulations apply to all medical records would simplify the burden for covered entities to comply with.
The NCVHS also recommends that HHS use all available authority (or all available means to extend HHS authority) to try to achieve uniform regulations across medical records, types of records, and types of covered entities. For example, the conditions of participation under Medicare and Medicaid could be utilized to achieve uniform regulation.
The definition of protected health information raises serious problems outside the treatment and payment process. Within the treatment and payment process, we can safely assume that all information about data subjects is protected health information. As a result, we do not encounter major line drawing problems. However, for employers or life insurers, the same assumption does not work. These non-medical record keepers routinely maintain other, non-health, information on individuals. How can they tell when personal information is protected health information within the meaning of the rule? Schools would present the same problem, except that the rules unfortunately and inappropriately exempt most schools from the health privacy rules altogether. We believe that there is a lot of confusion in the definition and this needs to be clarified.
The definition of health plan excludes health care payment under property and casualty insurance. Putting aside the issue of workers’ compensation, the definition creates a significant loophole for insurers who want to avoid the scope of the privacy rules in order to use health information for marketing or other uses unrelated to health. From the perspective of a patient, the nature of the policy is not relevant. When a casualty insurance company pays for health care, the patient will think that the company looks the same as other insurance companies. Yet the rule denies a patient privacy rights for property and casualty insurance information. Sometimes, treatment may continue while the ultimate source of payment (property policy vs. health policy) remains unknown, perhaps for months or years. Will information be subject to the privacy rule in the interim, and how will covered entities or others know?
Workers’ compensation is a complex subject that requires special treatment and reasonable accommodation. However, like other casualty insurance, it is not entitled to a complete exemption. The Department should not evade its responsibility to address these difficult issues by simply exempting them. If necessary, a separate and subsequent rulemaking should consider how to meet confidentiality interests of patients while allowing workers’ compensation to be administered efficiently.
The definition of designated record set has two fundamental problems. First, record keepers will find it impossible to determine how to apply this term under the privacy rule. Second, the definition relies upon an outmoded and discredited concept from the Privacy Act of 1974. The Privacy Protection Study Commission recommended abandoning the retrieved in fact standard in the Privacy Act of 1974 more than twenty years ago. We believe that this definition will be difficult to operationalize and recommend that this definition should be revisited.
The definition of individual excludes foreign military and foreign diplomatic personnel and their dependents. The commentary offers no adequate justification for this exclusion. If it only applied to records maintained directly by the federal government, then the problems inflicted by the exclusion would fall exclusively on the federal government. But it includes care paid for by the Department of Defense, and this means providers, plans, and clearinghouses will have some records. This is a specific problem which needs to be addressed in the rule.
The term research information unrelated to treatment is not clear. The need for the term is elusive. There is an inability to understand the point of the term and its associated substantive provision. Regular research information is subject to IRB oversight. This category of research information is apparently not. The recognition of two separate categories of research information is confusing and potentially troublesome. There is a need for more explanation. The NCVHS recommends that there be no distinction in the categories of research. All research should be treated the same.
The definition of treatment includes disease management as an included function. Disease management is not a defined term and this creates one of the biggest loopholes in the rule. Protected health information could be disclosed to virtually anyone – including marketers and employers – under the guise of disease management. It is essential that this loophole be closed. The potential breadth of the term is evident from a definition recently adopted by the Disease Management Association of America:
Disease management is a multidisciplinary, continuum-based approach to health care delivery that proactively identifies populations with, or at risk for, established medical conditions that: supports the physician/patient relationship and plan of care; emphasizes prevention of exacerbations and complications utilizing cost-effective evidence-based practice guidelines and patient empowerment strategies such as self-management education; and continuously evaluates clinical, humanistic, and economic outcomes with the goal of improving overall health..
It is difficult to imagine any privacy-invasive use or disclosure of patient information that could not be justified as disease management under this definition. The definition fails to recognize that patient privacy and patient consent are relevant limiting factors in disease management activities. We do not recommend the adoption of this definition in the regulations. Rather, we recommend that functions that might be called disease management and are prohibited under this rule be identified.
Treatment, Payment and Health Care Operations
There was a divergence of opinion among the Committee regarding informed consent versus statutory authorization. Concern was expressed that statutory authorization undercut traditional codes of medical ethics and that informed consent should be preserved. However, many NCVHS members felt that statutory authorization provided a better, more uniform level of protection than the case by case application of informed consent. Some NCVHS members expressed concern that the proposed rules will interfere with good clinical care. The issue of how much access physicians should have to the records of non-patients and whether consent is required needs to be clarified.
The NCVHS supports the concept of minimum necessary use and disclosure. The Committee, however, would add an additional standard: minimum identifiable form. Minimum identifiable form would limit the amount of identifiable data. For example, rather than using name, one would use another identifier. Therefore, any use or disclosure would be the minimum amount of protected health information necessary to accomplish the intended purpose of use or disclosure in a minimum identifiable form.
Statutorily mandated public health requests are recurring and routine and involve a broad range of information for epidemiological investigations. This rule should not unduly interfere with these requests. These requests are established by a state law and rules that are published with public comment. This requirement should also not require duplication between tasks that are already accomplished by an IRB and Privacy Board approved research. It does not make sense to ask a covered entity to create (or contract) with an IRB or privacy board and then also have to review the board’s findings itself. The covered entity is not likely to have the expertise needed to make fine distinctions regarding minimum necessary in the research context. The regulation could accomplish their purpose by simply requiring covered entities to verify that the research received IRB (or privacy board) approval.
Several members of the NCVHS recommend exempting treatment from the concept of minimum necessary use and disclosure. Some members believe that the concept is appropriate for treatment, payment and health care operations.
The following language is a suggested addition to the minimum necessary rule:
“All procedures and policies that covered entities develop should take into consideration the minimum necessary principle. However this rule should never compromise patient safety, and requests for protected data for patient treatment, and operations and payment and public health should be exempted from the requirement of individual application of this rule to each specific request. Further research requests will be deemed to have satisfied these requirements if the covered entity has verified receipt of the signed approval of an IRB or privacy board.”
Right to restrict
The choice made by the rule to allow disclosures without authorization for payment and treatment is a compromise that only works if the small percentage of patients who want additional restrictions on routine disclosures can be reasonably accommodated. Giving individuals a realistic opportunity to seek restrictions on payment and treatment disclosures authorized by the rule is crucial. However, the proposed rule does not strike an adequate balance.
A health plan or provider might simply refuse all patient requests for additional restrictions because of a plan’s or provider’s noncompliance or administrative convenience. The commentary goes too far in telling covered entities that they can decline to even consider requests. Nevertheless, patients still need more consideration of their requests.
The solution is to require that covered entities negotiate with patients over disclosure restrictions in good faith and that they must provide a written reason for rejecting the request of a patient. Fairer negotiations and clearer explanations will provide those patients whose requests cannot reasonably be accommodated with an opportunity to make other arrangements for their health care.
Covered entities should also be required to keep track of how they handle patient requests for restrictions so that HHS can review the degree of good faith shown in handling requests. Without a record-keeping requirement, those at HHS charged with enforcement may be unable to determine if an entity treats patients’ requests fairly and honorably.
Creation of de-identified data
The regulations could use further clarity defining what rules apply to what data. How do the rules about de-identified data interact with the rules about research and the rules about minimum necessary? If research is done on de-identified data is it exempt from all requirements? Are requests for de-identified data exempt from all reviews related to minimum necessary? The introductory section suggests that none of the other rules apply to de-identified data but it would be good to see that stated explicitly.
This section is confusing. Why is an exemption made to communications related to consultations and referrals for treatment under this section? The goal obviously is to facilitate traditional clinical communications. We would have presumed that this exemption was already provided by the exemption for treatment, operation and payment purposes. If this exemption is needed for consultations and referrals then it is also needed for a host of many other clinical communications between business partners, i.e. between commercial laboratory services and (these are not usually consultations or referrals for treatment), between pharmacies so they could transmit prescriptions, between Hospital A and Hospital B when the patient is under care at Hospital A, but Hospital B carries relevant clinical data. If this exemption is needed it should be broadened beyond the limited exemption for consultation and treatment.
The requirement to control information received from the covered entity for the purpose of consultation and treatment could be very difficult to implement. It is understandable why special protection might be required, but a consulting physician’s history and physical, recorded as narrative (often dictated) text, will intermingle with the narrative information they obtain from the referring physician. How would one segregate the information obtained from the referring MD from that collected by the consult when it is buried in pure narrative text. Further, if read literally, the rule would preclude the sharing of such data with the physician who takes night call for the consulting physician. This also suggests that the broad example given for the sharing of data for patient care does not apply in many care situations.
The constraint would be more easily applied if the treating physician’s summary of such data rolled into their note were exempted from the strict requirements. Then, the separate records sent from another practice could be treated just as they are in many hospitals, as “correspondence” which goes into a special section of the chart. This correspondence section part of the chart has all of the protection of the medical record and can be used for “treatment purposes” but has additional restrictions on disclosure.
Covered entities disclose protected health information to many different business partners. Written contracts are appropriate for many of these disclosures in the way that the rule provides. However, the same procedure is not appropriate or practical for all relationships. For example, patient records may technically be “disclosed” to companies providing telephone service, delivery service (the law protects Postal Service mail against opening for inspection, but courier services have no similar legal restrictions), Internet service, credit card support, equipment repair, financial audits and legal service. Records may even be “disclosed” to moving companies hired to haul boxes from one location to another.
Telling each covered entity to negotiate an agreement with every company providing routine, standard services is unnecessary. The Department should identify as many standard disclosures as possible and should develop language that meets the requirements and intent of the privacy rule for service providers to incorporate in standard contracts. This will avoid the need for tens of thousands of individual negotiations. The idea is similar to the proposal to exempt disclosures for consultations for treatment. A similar approach for selected other disclosures will be the most efficient way of solving common problems and will reduce the costs of compliance significantly. It will also benefit contractors who will not find it necessary to repeat identical negotiations with their subcontractors.
The collection of authorizations for marketing uses and disclosures is fraught with potential abuses. In the past, disclosure of patient information for marketing purposes was unethical. The demands of marketers combined with the allure of profits for record keepers and growth of health plans that operate without any of traditional provider ethical constraints have significantly weakened disclosure standards to the detriment of patients. An unfortunate consequence of standardizing procedures for authorizations may be that demands on patients for marketing authorizations will increase as covered entities learn how to pressure patients into signing authorizations.
The Department should use the rule to stop the trend toward increased trafficking by marketers in patient data. Most patients strongly object to marketing activities based on identifiable patient data, but sick or inattentive individuals may not be able to understand or resist pressure from health plans or others to sign authorizations for marketing. One easy change is to expressly prohibit any clearinghouse from seeking patient authorization for marketing disclosures.
For plans and providers, there are several ideas. First, a covered entity should be prohibited from seeking consent from patients for any marketing disclosures that benefit a third party. Third parties that want patient information for marketing should be forced to obtain the authorizations directly from patients and without the assistance or intervention of a covered entity. The purpose is to remove any incentive that a plan or provider might have to do business with marketers.
Note that this suggestion applies only to disclosures and not to uses. A covered entity that seeks to market its own products or services directly to patients should be able to do so with notice and consent. However, any use that involves a disclosure of any type to a third party should not be permitted. Further, the marketing use must be for a service or product provided directly by the covered entity and not by the affiliated company. This type of restriction is necessary to prevent consumer marketing companies or others from purchasing health care providers just for the ability to access patient records for marketing purposes.
Second, it is not sufficient for an authorization to reveal that the covered entity requesting the authorization will gain financially from the disclosure. The identity of the person providing the financial incentive should be included on the authorization, along with the amount of the financial gain. If these requirements inhibit the marketing uses of identifiable health information, that would be appropriate.
Third, the rule should require full public disclosure of all marketing arrangements between covered entities and others. The details should be disclosed on the website of the covered entity or available upon the request of any person. If disclosure inhibits a covered entity from seeking authorizations for marketing, so much the better. No one should be permitted to hide a marketing campaign based on identifiable patient information behind a business confidentiality screen. Here too, the goal should be to discourage marketing using identifiable patient information.
Fourth, the rule should provide that all authorizations for marketing expire in six months. A short, fixed period for these authorizations is essential so that a casual agreement by a patient in a weak or confused moment will not result in a lifetime of marketing disclosures by an avaricious covered entity.
Additionally, accounting for marketing disclosures should include not only the person who received the information but the actual party in interest as well. For example, if a pharmacy disclosed patient data to a lettershop for a marketing campaign funded by a drug manufacturer, the accounting should identify both the lettershop and the manufacturer. Telling the patient that the XYZ Lettershop received the data is not as meaningful as telling the patient that the ABC Pharmaceutical Company benefited from the disclosure.
The proposed rule states that a covered entity may not condition treatment or payment on a patient’s authorization. This is a step in the right direction, but it does not go far enough. The rule does not prohibit the use of financial incentives to induce a patient to sign an authorization. For example, a health plan could offer a discount to patients who sign an authorization. If allowed, financial incentives could be used unfairly. For example, a health plan could establish a high copayment but reduce it drastically for patients who sign an authorization. This conduct should be prohibited.
The rule does not require the use of a contract between a provider and a pharmaceutical company, but it requested comment on the idea. In our view, a contract that identifies the patient as a third party beneficiary is valuable. At best, the Department’s enforcement will be able to identify, investigate and sanction only a small fraction of abuses. By giving patients enforcement rights as third party beneficiaries under contracts, patients will be able to supplement the work of the Department by seeking enforcement of their own rights in court. The rule should not only require contracts with third party beneficiary clauses for arrangements between providers and pharmaceutical companies, but it should require such contracts for all allowable arrangements between covered entities and anyone seeking information for a marketing purpose.
The rule should provide that all authorizations be dated on the day they are signed. No one should be allowed to collect an authorization to become valid on a date in the future to be designated by the person seeking the authorization.
The provision in section 164.508(a)(2)(iv) that prohibits a covered entity from seeking an authorization covering treatment, payment, or health care operations needs to be rethought. At times, a patient or provider may need a signed consent to comply with a state or foreign law, or in other special circumstances. In other cases, a provider (e.g. a psychiatrist) that shares a patient’s concern about confidentiality may affirmatively seek an authorization narrowing the provider’s ability to disclose information. The proposed rule prevents that from happening. We suggest amending the provision to prevent a provider from routinely requiring a patient authorization for treatment, payment or oversight that permits more disclosures than allowed by the rule. If a provider wants either a narrower authorization or an authorization identical to the rule, the patient should be allowed to agree.
The definition of health oversight activities includes almost any activity pertaining to government benefit programs. The rule should make it clear that government benefit programs requiring health information about applicants need authorizations. The authority to use health information in the oversight process should not be construed to include the initial collection of benefit information for routine health or welfare programs. Applicants should know when an eligibility decision requires health information. They should be asked to consent. Consent should be the default method for obtaining access to records.
The commentary says that the regulation allowing a health oversight agency to obtain health information does not create any new right of access to records. That point is absent from the rule. It is crucial to make this point clearly in the body of the rule.
Disclosures for health oversight can be a significant invasion of personal privacy. When they are necessary to serve a broader societal interest, patients deserve better protection. Some legislative proposals introduced in recent years include a policy that prevents information disclosed for a purpose such as health oversight from use in any administrative, civil, or criminal action or investigation against the subject of the record unless the action or investigation arises out of and relates to receipt of or payment for health care. It would be appropriate for the Department to include this policy in its rule.
Admittedly, there is some doubt about the authority of the Secretary to impose this type of patient protection through the rule to all oversight agencies. However, the Secretary has more than enough power to order all components of the Department to follow the policy. Accordingly, we recommend that the Secretary issue an administrative order prohibiting all Department components from using any patient records obtained for oversight activities in any administrative, civil, or criminal action or investigation against the subject of the record. It may be appropriate to allow an exception if the action or investigation develops evidence that the patient is engaged in health care fraud or abuse. The same order should cover law enforcement, public health, and other non-consensual disclosures. An administrative order of this type could be issued immediately and without waiting for the privacy rule to take effect.
Judicial and Administrative Proceedings
The proposed rule permits a covered entity to disclose protected health information that relates to a party whose health condition is at issue in a proceeding and where the disclosure is pursuant to a lawful process such as a discovery order. The rule assumes that because the subject of the record is a party to the proceeding, the subject will have notice of discovery orders. This is not always true. The rule needs to be modified to require actual notice to the record subject or to the subject’s lawyer. Further, access through this method should be limited to instances in which the record subject placed his or her medical condition or history at issue. If another party to litigation raised a medical question, then the party seeking the record should be required to obtain a court order rather than a routine discovery request.
The rule should establish a process that offers appropriate assurance to record keepers as well as adequate notice to the subject of the record. A person seeking protected health information through discovery should be required to notify the subject or the subject’s attorney of the request for information. The person seeking the information should be required to provide the covered entity holding the information with a signed document attesting 1) that the subject of the record is a party to the litigation; 2) that the individual has placed his or her medical condition or history in issue; 3) the date on which the subject of the record received notice of the request; and 4) that ten days have passed after the notice and the subject of the record has not objected.
This procedure will assure that the subject of protected health information receives actual notice of a discovery request and that the subject can object in a timely fashion. Just because litigation involves an individual’s medical condition, the individual’s entire medical file will not necessarily be relevant. If litigation involves a broken leg, the disclosure of the plaintiff’s psychiatric history may not be relevant. The general rule limiting disclosures to the minimum amount of information necessary to accomplish the purpose should be fully applicable. Patients can use the rule to contest the scope of discovery requests. Of course, if a dispute arises over a discovery disclosure, the notice procedure allows the tribunal considering the matter to resolve it without any involvement on the part of the covered entity.
The NCVHS believes that the current proposal for law enforcement access is overly broad. The proposal allows any law enforcement agent to obtain health information without requiring a written request.
The rule should require that any routine request for information from the police be in writing and signed by a supervisory official. The proposed three-part test is useful and should be retained. However, unless law enforcement agencies make their determinations in a written and signed document, the requirement will be an ineffective barrier to appropriate access. An oral representation that the request qualifies under the test has little significance.
Law enforcement agencies should be obliged to state with some precision the information that they require. If the police need only the location of a patient, they should not obtain access to the complete medical record. The police must provide enough information about their needs to allow application of the minimum purpose rule.
The commentary says that substance abuse records continue to be covered by 42 U. S. C. 290dd-2. That statement belongs clearly in the rule itself or else it will create unnecessary confusion.
The rule governing disclosures for intelligence and national security activities needs reconsideration. As written, the provision allows a large number of employees of many different agencies to make requests for health records. The rule requires no writing or involvement by supervisory personnel of the requesting agency. The rule offers no protections to patients. It is far from apparent why any personnel of the National Reconnaissance Office or the other agencies identified in the law as part of the intelligence community need the ability to seek health records.
Nothing in the Privacy Act of 1974 allows such broad and unrestricted access by intelligence agencies to health records or even to less sensitive records about individuals. The intelligence community needs to make its case for access to federally maintained health records in a public way. The rule should be revised to permit disclosures only for those specific needs. Further, all requests for access should be accompanied by a written request signed by a supervisory official of the agency.
Governmental Health Data Systems
The commentary tries to make the case for permitting open-ended authority for the collection of health information for health data systems with a variety of functions. We do not oppose allowing legitimate health data systems to obtain patient information under defined circumstances when information in the data system has adequate protection. The rule, however, imposes no procedural or substantive requirements on disclosures to health data systems. Indeed, the rule allows disclosure of health data for policy, planning, regulatory, or management functions unrelated to health care.
Requiring verification of identity, as provided in section 164.518(c) is appropriate, but the suggestion that verification presents a significant barrier to access is wrong. The standard for access is so broad that dozens of federal and state agencies with no direct health responsibilities could legitimately obtain information. Virtually any government agency in the United States could use this provision to seek health records unless expressly prohibited by law from doing so. Under the verification rule, agency personnel need only show an identification card and orally state that they qualify for access.
The rule needs several changes to address access by agencies that do not have express statutory authority to obtain patient data. First, an agency seeking data should be required to inform the public of its request. Many requests will be routine and continuing so a public notice requirement will not be onerous. The notice should allow for public comment before any actual disclosures. Second, if data collected for a governmental health data system can be used in any way against a patient, then the public notice should be required to explain all of the possible consequences. Third, the requesting agency should be required to make a written request, state the reason for the request, and identify all planned uses of the information. Fourth, the rule should require the removal of identifiers at the earliest opportunity consistent with the purpose of access. Finally, the purposes for authorized disclosure need to be much more carefully defined and limited to health care functions.
The proposed rule is far too impractical. The rule requires agreement by patients. Lawyers are likely to interpret this to require writing. How else can a covered entity document patient approval when a dispute arises? The commentary says that verbal agreement is adequate. The rule itself says no such thing. Even if it did, providers would still face the practical requirement of documenting that the patient was asked. A failure to check a box on an admission form could open providers to liability.
Allowing verbal agreement is impractical in other ways. Spend time in an Emergency Department where dozens of patients await care. When a physician is ready for the next patient, a nurse enters the waiting room and calls the name of the patient. The presence of the patient in an emergency room is directory information, and the announcement is a disclosure. If a patient objected to the release of directory information, then how would the nurse find the next patient?
When disclosing directory information, privacy must yield to the practicalities of the world. Telling emergency department personnel that they must ask each patient for permission to call his or her name will only create burdens and unnecessary liability for providers. The same will be true in any physician’s office. It is sufficient to allow a patient with a special concern about directory information to step forward with that concern and make a special arrangement. The Department should reexamine the lesson from the Maine health privacy law that the state legislature withdrew and revised because it imposed impractical limitations on the operations of the health care system. The public will not tolerate a privacy law that is not practical and that imposes unreasonable burdens on patients and their families.
Banking and Payment Processes
The proposed rule addresses a problem, but the rule is too broad. Disclosures to a bank or other financial institution without express patient consent should only be permitted after a patient offers a check, credit card or other payment method to the provider. The presentation of a payment method is the moral equivalent of consent for disclosures necessary to complete the transaction. The rule should expressly make payment disclosures contingent on a prior patient action. Presentation of a check or credit card or a standing authorization of a payment method would suffice. However, it should be improper to assume that a patient who previously paid by credit card intended to continue that payment method without evidence supporting the intention.
No provider should be able to query banks or other institutions looking for someone who has funds to pay a bill. Further, the provision should expressly exclude bill collectors from receiving information. Bill collectors should be business partners and fully subject to the rule because of their relationship with providers. Disclosures to credit bureaus by covered entities should require patient consent unless a limited disclosure reveals no protected health information at all. However, a credit card company should be able to disclose an unpaid bill to a credit bureau under applicable law even if the bill covers health care services. A disclosure to the credit bureau would not normally identify the nature of the transaction that gave rise to the debt, unless the credit card is exclusively for health expenses.
Finally, the rule should expressly ban the disclosure to financial institutions of any diagnostic information or other detailed treatment information. If questions arise about a transaction that might justify any detailed disclosure, the patient involvement and express consent should be required. The suggestion in the commentary that disclosures be limited to specific data elements is entirely appropriate, but the rule should expressly list the elements.
For most part, this is a good and well-balanced proposal. However, clarification is needed about how the other rules in this regulation interact with the research rules. There is a potential problem with placing all the burden in the covered entity. That could be a real disincentive for covered entities to participate in research – especially if the covered entity was not a research hospital and not culturally attuned to the value of research. Instead of placing the full burden on the covered entities would it be possible to create a contract relationship between the researcher and the covered entity, as the regulations require for business partners?
The justification for the additional requirements beyond the existing IRB requirements is also hard to understand. Much traditional medical research involves medical data and often involves medical records. The strong distinction between medical research and medical record research is arbitrary and contrived. Further, most of the “new” and additional requirements are contained in, or implicit to, the existing IRB requirements. Patient confidentiality must always be addressed for current IRB protocols to apply. Finally, the argument that not adding the former new rules to the common rules on the basis of creating differences between IRBs and privacy boards is not convincing. The two are different in many dimensions even after these added requirements.
The business of destroying identifiers is repeatedly described as a good thing. We are unaware of any defense of that position or any experience that suggests destroying such links is good. There are many clinical situations where new information about a patient could interact positively with information previously collected about a patient. With the regulations as it stands we could not. It would be better to find another solution to the previous concern (e.g. require heavy encryption of the entire files when they were no longer needed for the research and leaving the keys in the hands of NIH or some other group).
The rule’s next of kin provision is another example of a policy that is impractical. We recommend that next-of-kin disclosures be allowed for oral disclosures of protected health information about an individual to the next of kin or to a person with whom the individual has a close personal relationship if (a) the entity has no reason to believe that the individual would consider the information to be especially sensitive; (b) the individual has not previously objected; (c) the disclosure is consistent with good medical or other professional practice; and (d) the disclosure is limited to information about current health treatment.
Requiring verbal agreement by patients will not work well in the real world. Lawyers for covered entities are still likely to insist on a writing to prove that the entity asked and that the patient agreed. Without documentary evidence, an entity faces the prospect of liability for any disclosure just on procedural grounds.
It is easy to envision circumstances in which the failure to obtain verbal consent will create real world disruptions. The commentary seeks to deal with some (e.g. disclosures by a pharmacist) but the attempt to create exceptions in this fashion is directly inconsistent with the stated rule. If the Department can tolerate these “loopholes”, it should do so more generally. The overwhelming impracticality of the requirement for verbal agreements will increase cost, create enormous disruptions and impositions, and ultimately undermine the privacy effort. Once again, we refer to the recent Maine example where the state legislature withdrew a rule that violated the expectations of patients and unduly burdened patients and their families.
Application to Specialized Classes
The special rules provided in this section are too broad, except the rule for the Department of Veterans Affairs. The VA exception is the only one that seems narrow and specifically responsive to an apparent need. In the other cases, the government may have some legitimate needs for access to health records for individuals in the military and intelligence community, and less likely, the Foreign Service. However, the permitted disclosures are too broad and do not include adequate procedural protections for patients.
In most cases, the consent of the record subject should be sought as a first resort, except in emergency circumstances. Only where there is demonstrable reason that consent is inappropriate should the rule authorize other methods of access. The requirement for publication of a notice by the Armed Forces is a step in the right direction, although it does not go far enough by requiring public comment. At a minimum, intelligence agencies and the State Department should be required to publish a similar rule defining the scope and circumstances of access to health records.
The Foreign Service disclosures are especially troublesome. We cannot imagine why the State Department needs to obtain health records of Foreign Service members or of family members of those who may serve abroad without any notice or consent. The State Department has no comparable authority today to obtain health records without consent. If the State Department’s current inability to obtain records without consent creates insurmountable difficulties, the case has not been presented publicly. Consent should be the preferred and only method for access for Foreign Service disclosures. The same policy should apply to family members of employees in the intelligence community. If consent for necessary disclosures cannot be obtained, the proper remedy is to deny the foreign assignment. Obtaining information without consent is inappropriate, and it will likely conflict with state laws and policies on confidentiality. Because stronger state laws will continue to apply, the best that this rule could accomplish is to authorize requesting disclosures in some states but not others. Regardless, it is difficult to envision circumstances that would prompt a physician to disclose patient records to the State Department.
Notice of Information Practices
Any covered entity that maintains a website for public use should be required to post its current notice of information practices on the web for public inspection. If an entity does not maintain a website, the public posting rule should not apply until the covered entity otherwise establishes a website.
The rule proposes to allow a covered entity to change it notice any time. This is a difficult issue, and the rule takes a practical position. However, the Department should consider efficient ways to make covered entities more accountable for their privacy policies and changes to privacy notices.
First, a covered entity should be required to maintain for public inspection a log of all past notices with changes highlighted. Second, if a covered entity maintains a website for use by patients or the public, it should be required to put a log of all notices and changes on the website. Public disclosure of changes will provide some degree of accountability by inhibiting entities from making unreasonable or unnecessary changes. Third, covered entities that have Internet capabilities should be required to establish listservs for sending email notification of any change to the standard patient notice. Mail notices would probably be too expensive to justify. Email notices would be nearly cost-free.
Access for Inspection or Copying
The rule permits a covered entity to deny access when a disclosure would be reasonably likely to endanger life or physical safety of the individual or another person. We disagree with the policy, at least in so far as it permits the withholding of information from a patient, because that patient would be placed in danger. The circumstances that would trigger this type of denial are so unlikely that the exception is not worth keeping. There is no evidence from experience with the Privacy Act of 1974 or state laws or policies regarding patient access that this exception is justified. Patients should be able to obtain access to their own records without any concern about the consequences to themselves.
By allowing a covered entity to deny access on the basis that disclosure will harm the subject of the record (no matter the standard), the rule allows for a complex and expensive administrative process. Record keepers may simply refuse all requests until the provider who created the record determines in writing that disclosure will not cause harm. An insurer or health plan that is not a provider could use this excuse to delay or deny all patients with access. Providers who are most capable of making the determination may have no incentive to do so, and they may simply ignore or delay responding to requests from covered entities for opinions. The result will be that any covered entity can use potential harm to the patient as an excuse for not complying with an access request.
The availability of procedural denials and delays creates an opportunity for covered entities to deny patients their rights. If retained, the exception should include these safeguards: 1) the exceptions should be considered to be permanently waived if not properly invoked within thirty days; 2) the rule should expressly provide that the exception cannot be used to withhold an entire record; 3) covered entities should be required to use the exception in good faith; 4) the burden of justifying the exception should expressly belong to the record keeper, and the record keeper should be expressly prohibited from asking the record subject to obtain approval from previous providers; and 5) all determinations of harm must be made by health professionals who must be identified by name if an individual is denied access to a record on the basis of a finding of harm.
By creating an exception that requires record keepers to exercise judgment, the rule creates an unnecessary liability. Covered entities that receive requests will worry that they will be liable if a disclosure results in harm, no matter how unlikely it may be. A rule that did not allow for an exception based on harm to the record subject would not present the same concern about liability. The result would be a simpler administrative process, more ready patient access, and less stress for covered entities.
The rule permits a covered entity to charge a reasonable, cost-based fee for copying. The rule should be more specific. We have enough experience from the early days of the Freedom of Information Act to know that a loosely drafted fee schedule will result in high fees that impede access to records. A fee that is three times the direct and indirect cost may qualify as “cost-based” and still be excessive. We suggest that the fee be limited so that it does not exceed the lowest standard charge imposed by the covered entity for providing copies in other circumstances. In the alternative, the fee should be limited to direct costs of copying under a published fee schedule.
Accounting of Disclosures
The rule does not require disclosure to the record subject of any accounting records for disclosures for treatment, payment, and health care operations. If audit trails of disclosures for treatment, payment, and health care operations exist, then record subjects should have the right to see the audit trails. Some institutions already maintain complete audit trails, and there is no reason to deny record subjects access to the trails when they exist.
Whether audit trails are valuable enough to require for all disclosures is a more complex decision. Routine activities for a single hospitalized patient may result in dozens or even hundreds of audit trails a day. An enormous volume of records would be created if the rule required recording all accesses. On the other hand, audit trails have great potential for preventing abuse of records. Because most abuses are the result of activity by insiders, excluding disclosures for treatment, payment, and health care operations from an audit trail requirement would destroy the deterrent value of the audit trails. The rule should not discourage institutions from maintaining full audit trails. However, when the audit trails exist, record subjects should have access to them.
Audit trails for paper records are too expensive to require. Similarly, disclosures of information between providers through personal communications would also be expensive and cumbersome to record in an audit trail. However, when access to records comes through a computer, maintaining an audit trail is simple because it can be accomplished automatically. We recommend that the rule encourage cost-effective and practical audit trails for treatment, payment and oversight (as well as all other disclosures) for computer systems. This should be prospective so that it only applies to new computer systems placed in service at some time in the future. If record-keepers have sufficient notice of the requirement, it will be relatively easy to include an audit trail capability at little additional cost.
The rule allows an exclusion from the audit trail requirement for law enforcement or health oversight disclosures on written request. Under this rule, it will be routine for law enforcement and oversight agencies to seek exclusion from accounting every time they request a health record. This should not be acceptable. If there is an adequate reason for exclusion, the rule should require a court order. Obtaining a court order will establish a sufficiently high procedural barrier so that exclusions will not be sought casually. In the alternative, if a written request for exclusion is acceptable, the request should be dated, signed by supervisory official, and contain a certification that the official is personally familiar with the purpose of the request and the justification for exclusion from accounting. It would be better if the rule required that the entire request for exclusion be handwritten by the supervisory official.
Amendment or Correction
The rule permits a covered entity to refuse a request for correction if it did not create the information at issue. This limitation makes the amendment process ineffective. For example, many records at insurance companies will not be correctable because insurance company records mostly consist of claims from providers. The insurance company can refuse most requests for correction on strictly procedural grounds. At hospitals, incorrect records created by providers long-since dead or by health plans no longer in operation could remain uncorrected. The proposed rule for correcting a record may force a patient back through a trail of record-keepers that extends for decades. It will be an impossible challenge.
Even worse, the rule actually provides a defense to the hospital that does not want to correct a record that came from another source. Ethically, a provider would have an obligation to make sure that the questioned record is accurate. Under the rule, not only does a provider have no such obligation, it has a defense should it choose to deny a request for correction.
If a covered entity uses health information to make decisions about an individual, it must be required to consider in good faith any request for correction or amendment. The proposed rule establishes a policy that allows a covered entity to use information to affect the rights, benefits, or treatment of an individual but it does not require the entity to even consider a request for amendment in some circumstances. It is not necessary to require a covered entity to change a record that it did not create in some circumstances, but the covered entity must be required to consider the request in good faith if it is using the information to make decisions about the record subject.
Relationship to State Laws
While a State may submit a written request to the Secretary to except a provision of State law from preemption, it is recommended that the Secretary prior to granting the waiver give notice to the citizens of the State.
Definition of Protected Health Information (Sec. 164.504)
The definition of protected health information excludes individually identifiable health information of inmates of correctional facilities and detainees in detention facilities. The NCVHS is opposed to exempting inmates and detainees from the proposed rule. Information about this vulnerable population should be protected to the extent possible without jeopardizing the safety of the facilities or inmates. For example, access to schedules that would jeopardize security would not be provided.
We appreciate the opportunity to offer these comments and again congratulate the Department on a comprehensive regulation.
John R. Lumpkin, M. D., M. P. H.