Health Hippo: Electronic Data Interchange

FindLaw: Access to Health Information ~ CCHC: Patient Privacy

Wired Health

85% of people in a recent poll felt that maintaining the confidentiality of medical records is absolutely essential or very important in national health care reform, according to one government-sponsored report. Yet 80% already feel they have little control over how their personal medical information is used. Gostin, Legislative Survey of State Confidentiality Laws (Presented to the CDC, Council of State and Territorial Epidemiologists, and the Task Force for Child Survival). The proposed use of "patient identifiers" (including the social security number) in electronic medical records is very controversial.

Privacy concerns? All the government and managed care experts say they don't see a legal problem with patient identifiers in electronic medical records, citing the narrow U.S. Supreme Court holding in Whalen v. Roe, 429 U.S. 589 (1977) (State of New York may record, in a centralized computer file, the names and addresses of all persons who have obtained, pursuant to a doctor's prescription, certain drugs for which there is both a lawful and an unlawful market). But in Whalen, the Supreme Court left open the broader issue of the "threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files," stating:

A final word about issues we have not decided. We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files. The ...supervision of public health... require[s] the orderly preservation of great quantities of information, much of which is personal in character and potentially embarrassing or harmful if disclosed. The right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures. Recognizing that in some circumstances that duty arguably has its roots in the Constitution, nevertheless New York's statutory scheme, and its implementing administrative procedures, evidence a proper concern with, and protection of, the individual's interest in privacy. We therefore need not, and do not, decide any question which might be presented by the unwarranted disclosure [429 U.S. 589, 606] of accumulated private data - whether intentional or unintentional - or by a system that did not contain comparable security provisions. We simply hold that this record does not establish an invasion of any right or liberty protected by the Fourteenth Amendment.

Citing Boyer, Computerized Medical Records and the Right to Privacy: The Emerging Federal Response, 25 Buffalo L. Rev. 37 (1975); Miller, Computers, Data Banks and Individual Privacy: An Overview, 4 Colum. Human Rights L. Rev. 1 (1972); A. Miller, The Assault on Privacy (1971). See also Utz v. Cullinane, 172 U.S. App. D.C. 67, 78-82, 520 F.2d 467, 478-482 (1975).

See the concurring opinion of Justice Brennen ("The central storage and easy accessibility of computerized data vastly increase the potential for abuse of that information, and I am not prepared to say that future developments will not demonstrate the necessity of some curb on such technology.") and the concurring opinion of Justice Stewart stating (to paraphrase) that privacy rights are best left to the states. Contra, Recommendations of the Secretary of Health and Human Services for Establishing Federal Health Privacy Standards. ("A Federal health privacy law should permit limited disclosures of health information without patient consent for specifically identified national priority activities.")

Government gathering of personal health care information may present even more of a political problem than a legal one. Based on the poll results above, even though some may agree that public health would be improved by allowing the unfettered access to patient medical records HHS seeks, the majority seem to be saying, "BUT NOT MY MEDICAL RECORDS!" It will be interesting to see how Congress and HHS get around the overwhelming sentiment against allowing further access to the public's personal medical records and the potential chilling effect such a policy will have on many personal treatment decisions. See HHS: Unique Health Identifier for Individuals, A White Paper (released July 6, 1998); Hearings on the Unique Health Identifier for Individuals, July 20-21, 1998 (web page put up July 6, 1998).

According to the HIPAA law, if Congress has not passed medical records "privacy" legislation by August of 1999 HHS is required to implement a scheme for universal patient identifiers by rule. Such a scheme will likely involve the use of Social Security Numbers, which are slated to become the "dog tag" of the information age. See e.g., Proposed Rule: State-Issued Driver's Licenses and Comparable Identification Documents, Federal Register June 17, 1998 (Federal mandate of Social Security Number on all state Driver's Licenses by the year 2000 -- comments must be received by August 3, 1998).

Cart before the horse? Charged with implementing at least five new rules relating to electronic transactions in health care, the Department of Health and Human Services (HHS) is saving the best for last. Shouldn't the required rules on security and electronic signatures have been published prior to mandating identifiers for employers, providers and health plans?

According to HHS, the National Standard Employer Identifier will help eliminate paperwork, simplify activities such as enrollment in health plans and payment of health insurance premiums, and save money for consumers. The proposed national standard employer ID number is the Employer Identification Number (EIN), which is issued and maintained by the Internal Revenue Service. Under the proposed rule, health care providers, health care clearinghouses, and health plans would use this number to identify the employer on electronic health transactions that require an employer identifier.

In addition to the national standard employer identifier, other proposals under the HIPAA Administrative Simplification law call for national standard ID numbers for health care providers and health plans (not yet available). The law also requires standards for common electronic health care transactions, code sets, and "stringent new security rules to protect confidentiality of and access to health records" (not yet available). All health plans, health care clearinghouses, and any health care providers that conduct electronic health transactions are required to abide by these new standards.

HHS has provided the ability to comment on these new rules electronically through its Administrative Simplification web site that also provides information on health privacy and health information standards, and an email list for notification of new rules. See generally, Electronic Rulemaking.

 

HIPPOHOME // HIPPONEWS // HIPPOTALK // STILL SEARCHING? // TRAGICALLY HIPP

Graphics courtesy Nova Development Corp. All rights reserved.
Health Hippo ©1996-97: hippo@altavista.net