Medical Privacy Letter to HHS

This script contains a dynamic menu system with the following links Biography http://leahy.senate.gov/biography/index.html Vermont http://leahy.senate.gov/vermont/index.html Issues http://leahy.senate.gov/issues/index.html Services http://leahy.senate.gov/services/index.html Statements http://leahy.senate.gov/press/index.html Contact Us http://leahy.senate.gov/contact.html To Search Page http://leahy.senate.gov/map.html

March 30, 2001

The Honorable Tommy Thompson
Secretary of Health and Human Services
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

I am writing to you to comment on the Department of Health and Human Services’ (HHS) final rule on standards for privacy of individually identifiable health information that was published in the Federal Register on December 28, 2000.

My comments are submitted in response to the February 28 notice in the Federal Register soliciting public comments on the final medical privacy rule. I believe a comment period on the final rule is totally unnecessary because interested parties have had more than ample time to comment on the proposed rule and related issues. However, I am compelled to submit these comments with the knowledge that so many others -- particularly the well-funded opponents of this regulation -- will be doing so. I want to ensure that the voices of patients privacy advocates are not drowned out by well-financed lobbyists.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This law mandated the computerization of our health care system while recognizing that the increased use of technology would lead to an erosion of personal privacy unless strong action was taken. The law established an August 21, 1999 deadline for Congress to pass comprehensive medical privacy legislation. Much to my profound disappointment, Congress failed to meet its own, self-imposed deadline. Under HIPAA, if Congress failed to meet its own deadline, HHS was then required to establish medical privacy guidelines administratively. The Department issued a proposed rule on November 3, 1999 that was an important step toward providing the protections that so many Americans expect and deserve. There was an initial 60-day public comment period for the proposed rule and at the request of both the health care industry and consumer groups, HHS extended this time frame for an additional 45 days. During the more than three months for the public to submit comments, HHS received over 52,000 comments on the proposed rule. The Department then met with numerous groups and engaged in extensive fact-finding over the next 10 months before issuing a final medical privacy rule last December.

For the past several years I have been engaged in efforts to make sure that Americans’expectations of privacy for their medical records are met. I believe that advances in medical and information technology can be harnessed to ensure our privacy is protected if proper steps are taken. There are many reasons why it is crucial that we succeed in creating privacy protections. One is that the fear that confidentiality is being compromised would deter people from seeking medical treatment and could stifle technological and scientific developments. I introduced comprehensive medical privacy legislation, the Medical Information Privacy and Security Act (MIPSA), on two occasions, first in November 1997, (S.1368), and then again in March 1999, (S.573). Both of these comprehensive bills were referred to the Senate Health, Education, Labor and Pensions (HELP) Committee.

I have testified before the HELP Committee on several occasions urging action on medical privacy legislation. I have attempted to highlight the need for congressional action on this issue through various forums. I have expressed my strong opposition to any efforts to extend the congressional deadline in several letters to former President Clinton, and I have communicated my concern over delay of the effective date of this final rule to President Bush and to yourself. Two summers ago, I was one of the leaders in a successful effort to remove harmful medical privacy language from a financial services bill. As you can see, this issue is very important to me.

Recent news reports have indicated that there is a campaign underway to delay or prevent the final medical privacy rule from going into effect. Some interested parties have expressed concern that they have not had the opportunity to comment on provisions of the final rule and that the regulation is unworkable. I strongly disagree with both of these assertions.

First, as I noted above, there was more than adequate time for interested parties to comment on the proposed rule. Second, if some provisions of the regulation are truly "unworkable," there is a mechanism provided in HIPAA for resolving these difficulties after the medical privacy rule goes into effect. Section 262 of HIPAA gives the Secretary of HHS the authority to modify the privacy standards during the first 12 months of implementation when a modification "is necessary in order to permit compliance with the standard." Congress anticipated potential challenges with implementation of the regulation and provided a statutory mechanism for resolving the challenge after the regulation becomes effective.

This issue was addressed in a February 16 letter to President Bush and a subsequent March 20 letter to you that I joined several of my colleagues in sending. Section 262 of HIPAA makes clear that delaying the effective date of the final medical privacy rule is not the way to address individual concerns regarding the implementation of the final rule.

HHS made many significant changes to the proposed medical privacy rule to accommodate the interests of the major stakeholders. The Department responded to concerns of the health care industry and made changes to the final rule in their favor. These changes include, but are not limited to, relaxing the requirements of the "business partner" and substantially lessening the restrictions on marketing and fundraising activities after vigorous lobbying by the health care industry. HHS also strengthened some provisions in the final regulation of interest to consumer groups. Overall, the final product of this extensive rule-making process is a balanced rule.

When the final medical privacy rule goes into effect, Americans will -- for the first time -- enjoy some federal protection of their personal medical information. While the final rule takes the first step toward creating a foundation of privacy protections, there continue to be some areas where the regulation is inadequate. Some of these needed improvements will require statutory changes to lift the restrictions contained within HIPAA and Congress must pass privacy legislation to ensure that patients’ records are fully protected. Patients must have the security of knowing that their personal and private information remains just that -- personal and private. But, I believe it is now time to devote our energy and resources toward implementing the final medical privacy rule to ensure they receive the first of these protections.

Listed below are just a few of my comments on the final rule:

Covered Entities and Protected Health Information

The limited authority delegated to HHS by HIPAA allows for the proposed regulation to only cover health care providers, health care plans and health care clearinghouses. Unfortunately, a large number of entities that have contact with identifiable health information will continue to be unregulated. This is one of the most pressing reasons why Congress must still work to pass a comprehensive medical privacy law that will be applicable to all entities that generate, maintain or receive protected health information.

I agree with the final rule’s approach to apply privacy protections to individually identifiable information on computer printouts, or discussed orally, as well as those records transmitted or maintained electronically by a covered entity. It makes sense to continue to protect this electronically transmitted information when it is printed out or conveyed verbally. This information is personal and private regardless of how it is communicated. I am pleased that the final rule extends these privacy protections to include medical records maintained by a covered entity in paper form. Protecting only health information in electronic format would leave a great deal of health information unprotected by federal law. It would be impractical and unenforceable to limit coverage to the health information that has been electronically maintained or transmitted. Health information often changes format -- it can start out as oral, then be written and then be stored electronically. It would be highly difficult administratively to determine what information in any particular health record had at some point been electronically stored or transmitted. In addition, if oral communications were excluded from the final privacy rule, covered entities could circumvent the regulation by reading aloud or orally sharing information contained in a computer or paper record.

Treatment, Payment and Health Care Operations

In the proposed rule, I strongly disagreed with the decision to take away the right of individuals to authorize the disclosure of their individually identifiable health information for the use of treatment, payment and health care operations. I agreed with the desire to establish a rule that would make health information relatively easy to use for health-related purposes. However, I believed that goal could be accomplished by requiring that a patient be a part of this process. Patients should be encouraged to be active participants in their own health care -- and obtaining an individual’s consent is an integral part of that process. Many of the 52,000 comments received by HHS during the public comment period on the proposed rule addressed the need for a patient’s consent for treatment, payment and health care operations. I am pleased that the final rule reflects these concerns and requires that a health care provider obtain a patients’ consent before using or disclosing protected health information.

Minimum Necessary Use and Disclosure

A strong medical privacy rule should guarantee that individually identifiable health information will be used and disclosed only to the minimum extent necessary in order to achieve the legitimate purpose for which the information was first obtained. The legislation I sponsored in the last Congress (S.573) would mandate such an approach, and I am pleased that the final rule reflects the importance of using only the information that is necessary.

Research

Health research is an essential component of any quality health care system. In order to further scientific discovery it is important for medical researchers to have access to necessary information. However, it is also essential that individuals be guaranteed protection of their personal medical information. The final rule establishes a good framework for regulating researcher efforts by building upon the "Common Rule" regulations that currently govern federally-funded research or research that is conducted in anticipation of review by the Food and Drug Administration.

I am pleased that the final rule also makes an important effort to extend the scope of accountability and oversight to privately funded research. The final rule requires all research involving protected health information to meet eight waiver criteria before this information can be used or disclosed without patient consent. This is a significant step in helping to close the gap in standards adhered to by federally and privately funded research.

I am also pleased with provisions in the final rule that place some restrictions on a researcher’s further use or disclosure of protected health information.

Access for Inspection, Copying, Amendment or Correction

A strong medical privacy rule must ensure that a patient has the right to view and to amend or correct his or her medical information if is not accurate. This is an essential component of medical privacy protection because individually identifiable health information is relied upon not only for treatment purposes, but also for insurance and other purposes.

I am pleased the final medical privacy rule allows an individual to see, copy, and amend his or her health information. Federal privacy statutes such as the Privacy Act and the Cable Communications Policy Act give people the right to see and copy their own information. In addition, several state laws allow patients the right to see and copy their health information. The provisions contained in the final medical privacy rule on these issues are clearly justified.

Relationship to State Laws

I strongly support the approach of HIPAA and the final regulation that federal medical privacy protections act as a floor, not a ceiling. Under this approach, weaker state laws would be preempted, while state laws that offer more protection than the federal regulation will remain in place. Thus, states will be allowed to pass medical privacy laws that reflect the changing times, or new uses of technology. The final regulation also allows a state to pass laws that consider any special needs of its citizens. I have been a champion of states’ rights over my 26-year career in the United States Senate. One of the highlights of my medical privacy legislation is a provision similar to the proposed rule where any federal privacy protections would establish a floor, not a ceiling, of privacy protections.

Due to my strong support for preemption of weaker state laws only, I am concerned about a waiver provision contained within the final rule. I recognize that HIPAA sets forth a standard for states to apply for exceptions to the regulation preemption provision. However, I urge you, as Secretary, to limit exceptions to only those cases where it is absolutely necessary. I feel very strongly that the preemption provisions are essential to protect an individual’s privacy and am concerned that proponents of weaker state laws will use this waiver process to avoid complying with the regulation.

Compliance and Enforcement

Ideal medical privacy protections would allow an individual to bring suit under a private right of action to protect their rights. However, statutory limitations established by HIPAA prevent this regulation from including an ideal individual private right of action. I believe that a private right of action is an essential enforcement tool for any strong privacy protections because it empowers an individual to seek redress when his or her privacy has been violated. The limitations established by HIPAA in this area reinforce, once again, the need for Congress to pass comprehensive federal medical privacy legislation.

I am concerned, however, about whether the Office of Civil Rights (OCR) at HHS, currently a relatively small office, has the adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. Due to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations.

It is important for those entities covered by the new rule to have the necessary technical assistance to come into compliance during the implementation period. OCR must be supported to build the necessary infrastructure to enforce the regulation effectively.

As you may know, OCR, which currently enforces civil rights law in the human services setting, has been chronically underfunded. The FY 2000 budget of $22 million was the same as OCR’ s budget in 1980. During this period, OCR’s enforcement responsibilities increased substantially with the passage of the Americans with Disabilities Act, welfare reform and other laws and regulations affecting civil rights issues. Due in part to an amendment I offered during the Senate’s consideration of the Department of Health and Human Services Appropriations bill, the FY 2001 budget for OCR included a desperately needed $3.5 million increase. I will continue to do all that I can to ensure that this essential office within HHS has adequate funding to carry out the critical responsibility of enforcing this rule. I am hopeful your Department will do the same.

Law Enforcement

I do not believe the law enforcement provision of the final rule establishes sufficient protections for individuals. Prior to introducing my medical privacy legislation, I carefully reviewed the numerous and complex issues surrounding law enforcement access to personal health information. I came to determine that a covered entity should only be allowed to disclose protected health information to an investigative or law enforcement officer pursuant to a warrant issued under Federal Rules of Criminal Procedure, an equivalent state warrant, a grand jury subpoena, or a court order as outlined in Section 208 of S. 573. Generally speaking, law enforcement agencies should be required to obtain legal process issued by a neutral magistrate upon showing of probable cause.

Federal law establishes protections for cable and video records that are much stronger than the protections afforded to health information under this proposal. Medical records contain information that is of the utmost personal and private nature, and access to this information, including access by law enforcement, must be limited to the cases where it is necessary. The issue is fundamental – many people will be reluctant to seek medical care due to inadequate privacy protections. As a former prosecutor, I understand the need to have access to information to carry out the job of protecting society from criminals. However, as an individual, I do not want personal medical information made available to any law enforcement officer who flashes a badge and asks for it. I am very disappointed that the final medical privacy rule does not strengthen this important provision.

Marketing and Fundraising

I am extremely concerned about two provisions included in the final medical privacy regulation having to do with marketing and fundraising by covered entities that differ significantly from those in the proposed rule. I am concerned that these provisions in the final rule could open the door to a barrage of marketing and fundraising appeals to individuals by unknown third parties. Although the fundraising provision limits the type of personal health information that can be used and disclosed for this effort, the marketing provision does not include a similar limitation. As a result, marketers can target people based solely on personal health information they have received about an individual’s particular medical condition. I find this to be outrageous and a clear violation of the fundamental intent to provide privacy protection to individuals. Covered entities should not be allowed to use protected health information for marketing or fundraising purposes without explicit consent from the individual. The opportunity for an individual to opt out of receiving these appeals only after the fact is clearly insufficient.

Conclusion

As we approach the effective date of the final medical privacy regulation, we must remember that the right to privacy is one of our most cherished freedoms. It is the right to be left alone and to choose what we will reveal of ourselves and what we will keep from others. Privacy should not be a political issue. It is too important and too basic to the individual rights we cherish as Americans.

The final medical privacy rule establishes a foundation of privacy protections, while also outlining the important ideas and arguments that will enhance the debate about how to best protect individually identifiable health information. The rule also allows for the flow of information that is necessary to facilitate an efficient health care system. While I have pointed out some areas of specific concern in the final regulation, I do not believe any of these areas warrant a delay in the implementation of the final rule. Americans deserve to have their personal health information protected and this final rule will fulfill our commitment by establishing significant new protections for patients.

Sincerely,

PATRICK LEAHY
United States Senator