Source

Automatically imported from: http://commons.somewhere.com:80/rre/1998/Health.Care.Personal.Inf1.html

Content

This web service brought to you by Somewhere.Com, LLC.

Health Care Personal Information Nondisclosure Act of 1998

``` [I've enclosed an analysis of certain aspects of the latest in a long line of severely deficient medical privacy bills in the US Congress. It is being circulated anonymously, so you should go ahead and apply whatever discount that might entail for you. I got it indirectly from Joel Reidenberg, a respected professor of privacy law and a friend. Note that, although I've retained his imprimatur as a sign that it's serious, Joel did not write it.]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu

---

From: "Joel R. Reidenberg" To: "Farber@Cis. Upenn. Edu"

Thought IPers would be interested in this analysis of the Jeffords Health Privacy Bill. I received it from a very knowledgeable and reliable source and find it to be a very thoughtful assessment that raises many troubling issues.

JRR

---

Joel R. Reidenberg Professor of Law and Director of Graduate Program Academic Affairs Fordham University School of Law 140 W. 62nd Street New York, NY 10023 (USA) Tel: 212-636-6843 Fax: 212-636-6899

Email: Web:

---

> > + + + + + + + + + + + + + + + + + + + + + + + + + > > Analysis of S.1921 > Health Care Personal Information Nondisclosure Act of 1998 > > SIGN OR DIE > > NOTE: This analysis was independently prepared by an individual > who wishes to remain anonymous and may be circulated without > limit provided that this disclaimer is included. This analysis > may not be quoted or attributed to anyone. > > At the beginning of April, Senator Jeffords introduced a new > health privacy bill (S.1921). Like other health privacy bills, > Jeffords' proposal is long and complex. It contains one > especially notable and troublesome new feature, and this analysis > focuses on that feature and a few others. This is not a > comprehensive review of the proposal. > > Coerced Consent - The biggest single problem with the bill > is the patient authorization language in section 202. The effect > of this language is to give health plans, employers, and > providers the power to decide how patient information can be used > and disclosed AND to force patients to agree to whatever the > plans, employers, and providers decide. The proposal lacks clear > statutory or regulatory limits on the power of health plans, > employers, and providers to use and disclose identifiable health > information to suit their own interests. > > Section 202 section provides that every employer offering a > health plan, every health plan, and every provider MUST obtain > from every individual a signed authorization. As a result, each > individual covered by health insurance provided by an employer > will be required to sign at least two separate authorization > forms: one from the health plan and one from the employer. > These are separate authorizations. The spouse of a worker must > also sign an authorization, and a parent must sign on behalf of > each covered child. Any individual seeking care from a provider > may also be required to sign a separate authorization for each > provider. > > Section 202 provides that the signed, written authorization > "is a legal, informed authorization concerning the use and > disclosure of protected health information for treatment, payment > > or health care operations." Thus, the terms of the law proclaim > that the authorizations are both "legal" and "informed." > However, nothing in the bill gives an individual any ability to > refuse to sign or to bargain over the contents of the > > authorization. The law REQUIRES an employer, health plan, and > provider to obtain an authorization. > > What happens if an individual refuses to sign an > authorization? The bill would make signing an authorization a > condition of enrollment in a health plan or of the provision of > health care. As a result, it appears that an individual who > refuses to sign loses health insurance or can be denied > treatment. The legal requirement to obtain an authorization > falls on the employer, health plan, and provider. Without an > authorization, each would appear to be legally justified to deny > insurance or treatment to anyone who refused to sign an > authorization or who modified it in any way. > > For those who require either health insurance or health > treatment, the policy in the Jeffords bill is sign the form or > forego treatment or insurance. In other words, SIGN OR DIE. > There is no opportunity for bargaining, for customizing an > authorization to meet individual needs, or for opting out of a > particular disclosure. This is not informed consent. There is > nothing consensual about signing. The consent is coerced as a > matter of federal law. SIGN OR DIE. > > Every employer, health plan, and provider can force an > individual to sign an authorization form that permits a wide and > nearly unlimited variety of uses of health information. > Employers, plans, and providers can draft authorization forms to > suit their own needs and requirements, without any regard for the > interests of patients. Because patients have no choice but to > sign, there is no meaningful external constraint on the scope of > the authorizations. > > Scope of Authorizations - The bill provides expressly that > the authorization obtained by employers must cover "treatment, > payment, or health care operations." Authorizations obtained by > health plans and by providers appear to have no similar > limitations. Nothing in the Section 202 seems to limit use and > disclosure to treatment, payment, or health care operations. > However, the title of Section 202 suggests that the > authorizations are for treatment, payment, or health care > operations so it is likely that the intent is that authorizations > obtained by plans and providers under this section are for those > purposes. This may just be a drafting error. > > Disclosures for Treatment - The authorizations under Section > 202 would cover disclosures for treatment. Some other health > privacy proposals would permit nonconsensual disclosures for > treatment. But they provide patients with an opt-out. Under > other proposals, if a patient objects to a disclosure for > treatment, that objection is effective. Under the Jeffords bill, > a patient has no ability to object to any disclosure for > treatment. > > Suppose, for example, that a patient does not want his/her > record disclosed to a particular doctor because the patient and > the doctor are related. Writing that restriction on the > > authorization form, however, could result in cancellation of > insurance or denial of treatment. Under section 202, patients > are afforded no opportunity to modify the authorization forms > presented by employers, plans, and providers. A provider or > > health plan is under no obligation to agree to a patient's > request to limit disclosures for treatment. > > Another hypothetical: Suppose that an employer's > authorization form permits disclosure of all patient information > as a treatment disclosure to the employer's in-house medical > staff. The authority would allow the staff to obtain records of > treatment obtained by the employee anywhere else. The employer > will say that the disclosure is justified because in-house staff > may be called upon to provide treatment in emergencies or > otherwise. The consequence is that an employer could force an > employee to consent to the routine disclosure of an entire > medical record to the employer. > > An individual cannot refuse to sign an authorization form > for treatment. However, an individual can apparently revoke an > authorization for treatment. Section 202(c) allows for > revocation of authorizations. If a patient signs an > authorization and then revokes it in whole or in part, it is not > clear what the consequences are. > > The bill makes signing an authorization form a condition of > enrollment in a health plan. If an individual can revoke consent > for disclosures for treatment, then the concerned individual > could do so immediately after signing the required form. This > would make the federally mandated consent a nullity. It is > unclear how the "condition of enrollment" language meshes with > the revocation authority. > > Disclosures for Payment - The authorizations required under > section 202 would cover disclosures for payment. Some other > legislative proposals would permit nonconsensual disclosures for > payment. But they provide that if a patient and provider arrange > for payment other than through an insurance company, then > disclosures for payment are not permitted. In other words, a > patient can agree to pay out of pocket without an insurer or > employer learning about it. > > The Jeffords proposal does not allow an individual to refuse > to sign a consent for disclosure for payment under any > circumstances. However, the individual may later revoke that > consent. Section 202(c)(1) says that an individual may revoke an > authorization unless disclosure is necessary for payment for > health care already provided and for which the individual has not > agreed to assume financial responsibility. > > The requirement for signing and later revocation is crucial > because it makes it much more difficult for a patient to exercise > control. Suppose, for example, a patient pays for psychiatric > care without relying on insurance. The careful patient, having > signed the initial, required authorization form, then revokes it > in part so that it no longer covers the psychiatric care. This > appears to be permissible. But if on renewal of the health > policy or on a subsequent visit to the psychiatrist's office or > to another health care office, the patient signs the standard > > authorization again, failure to renew the revocation will vitiate > the initial revocation and make the records now available for a > subsequent payment disclosure. The structure of the Jeffords > bill makes it particularly difficult for patients who want to pay > > for their own care to prevent information from slipping into the > payment system. > > Disclosures for Health Care Operations - This is the biggest > loophole in section 202 because of the lack of specific > definitions. Health care operations are defined to include any > services provide by or on behalf of a health plan or provider for > the purpose of carrying out the management function or > implementing the terms of a contract for benefits. > > In other words, an individual can be required to "agree" to > disclosures for any management functions without restriction. > Health care operations include (but presumably are not limited > to): > > quality assurance activities and outcomes assessments; > > reviewing competency of health care professionals; > > accreditation, licensing, or credentialing activities; > > analysis of health plan claims or health care records data; > > evaluating health plan and provider performance; > > utilization review and precertification; > > underwriting; and > > auditing. > > The long list of permissible disclosures uses terms that are > mostly undefined and could include virtually any type of use or > disclosure that an employer, plan, or provider might want to make > to satisfy its own institutional needs. > > For example, a disclosure for outcomes assessment could > allow the entire medical record of an employee or an employee's > family to be disclosed to the employer without notice, > restriction or limitation. Similarly, disclosures to employers > could fall under evaluating plan and provider performance. An > employer might even disclose patient information to an employee's > supervisor by claiming that it wants to obtain the supervisor's > opinion on the performance of the employee's provider. > > Pharmacy Disclosures - Recent press stories highlighted how > some pharmacies were making disclosures of patient information > without consent for marketing purposes. It appears that the > Jeffords bill wants to make it impossible for a provider to use > the Section 202 authorization procedure to collect patient > authorization for this purpose. Section 202(f) provides that > authorization may not authorize disclosures "with the intent to > sell, transfer, or use protected health information for > commercial advantage." > > But this language may not provide adequate protection for > patients. First, the language of section 202(f) limits > disclosure and not use. The Jeffords bill is not clear on > whether a distinction between internal use and external > disclosure is meaningful. Assuming that it is a real difference, > a drug manufacturer that owned a pharmacy could obtain the > information because it is still within the same company. Another > way to accomplish the same purpose might be for the manufacturer > or the third party company to become an agent of the health plan. > Then the disclosure might not be restricted because it is an > > internal use. > > Second, the term "commercial advantage" is not defined. > Regardless, it provides no real limitation since any disclosure > for disease system management could be justified -- rightly or > wrongly -- as a treatment disclosure benefitting the patient or > > as part of a management function. As long as there is another > intent for the disclosure, the restriction on disclosures for > commercial advantage might not apply. > > Third, given the complex relationships between health care > institutions, a disclosure of patient records might involve no > overt payment or identifiable commercial advantage, but a > pharmaceutical manufacturer could provide hidden discounts or > benefits to cooperating plans or providers. The limitation in > Section 202(f) offers little assurance that patient data will not > be widely circulated to marketers or used for marketing purposes > by a provider, plan or employer. If a pretext is found for > including the disclosure in the authorization form that must be > signed, then the disclosure with be "authorized." > > Revocation - Section 202(c)(2) discusses the revocation of > an authorization given to a health plan. It is not clear whether > a patient can revoke an authorization for disclosures for health > care operations. Nothing in this section appears to restrict a > patient's ability to revoke. A careful patient required to sign > an authorization form might immediately revoke it. Whether this > would permit a health plan to terminate coverage is not clear. > However, other revocation language suggests that revocation of > the authority is not an allowable result. > > When an individual cancels or fails to renew enrollment in > the plan, the authorization is deemed to be revoked, except as > may be necessary to complete health care operations and payment > requirements related to the individual's period of enrollment. > This suggests that the intent of the bill is that an affirmative > revocation might not be able to cover health plan operation > disclosures. It is not clear. > > Still, the revocation provision has several different > consequences for both patient and health plans. First, when a > patient switches a health plan, any existing authorization for > treatment disclosures is revoked. So when an individual moves to > another plan and another doctor, the previous authorization that > would have permitted transfer of treatment records is no longer > valid. New paperwork is required for the treatment disclosure. > > Second, revocation-by-cancellation places health plans in a > precarious position. Suppose that a health plan want to use the > record of a former enrollee in auditing, licensing, outcomes > assessment, or for other health care operations purposes. > Records of current enrollees (active revocation aside) could be > used because of the signed authorization. But for former > enrollees, use is permitted only "as may be necessary to complete > health care operations." Each former enrollee's record would > have to be identified, and a determination made that the record > is "necessary" for the proposed use. > > Further, the term "complete" suggests that the exception to > revocation is limited. Thus, it would be hard for a health plan > > to argue that a two, three, or ten year old patient record is > needed to "complete" an outcomes assessment. Each patient could > argue that any health care operation could be accomplished just > as well without his or her individual record. > > > The result is that health plans have a problem if they want > to use records of former enrollees for operational purposes other > than payment. They could easily be sued by patients who object > that the uses no longer fall under the revoked authorization even > with the statutory limitation. Because the disclosure authority > for all health care operations is based SOLELY on each patient's > authorization, that authority can and will expire. > > The revocation provision could also affect treatment. A > treatment authorization may cover the treatment of patients other > than the record subject. A physician treating a patient may look > at records of other patients with similar conditions to learn > what treatments were effective. Some other proposals would allow > this type disclosure for treatment of other patients unless the > subject of a record has objected. Once the authorization is > revoked by cancellation of the health plan, the disclosure of a > health record for treatment of others would no longer be > permitted. > > Coerced consent does nothing to protect the privacy rights > of patients. As proposed in S.1921, it also places health plans > and employers at risk if they use the records of former > enrollees. > > Conclusion - Not all of the disclosures that a patient would > be forced to consent to under the S.1921 coerced consent language > are necessarily objectionable. Many other proposals authorize > similar disclosures. What is objectionable is the legal > requirement that patients MUST sign consent forms authorizing > disclosure. A patient who seeks to modify a mandatory > authorization form or to question its content runs the risk of > having insurance coverage terminated or being denied treatment. > > Section 202 of the Jeffords bill provides employers, health > plans, and providers with nearly unlimited ability to use and > disclose patient records as they see fit. As a result, it does > little to improve privacy protections for individuals. Patients > will be forced to sign away their possible privacy interests. > The coerced consent model offers the appearance of patient > privacy while really only protecting the interests of those who > seek to exploit patient data in nearly any way that they see fit. > > Other proposals define uses and disclosures in statute. > By relying on a statute for definitions, there will be an > objective, external standard to regulate patient records. Under > the coerced consent model, the employers, plans, and providers > are able to make choices about how records are used and > disclosed, without regard for patient need or statutory > limitations. They can force patients to agree and make it > difficult or impossible to for patients to challenge the > authorization forms or to hold anyone accountable for uses and > disclosures. > > The fundamental issue is not whether there should be limits > on the use of health records. Everyone agrees that there should > > be. The real issue is who sets those limits. S.1921 allows > health plans, employers, and providers to define how records can > be used without any participation by patients or external > controls. A better answer is to establish limits in legislation > > so that privacy policy is made by the Congress and so that > patients have a greater say in nonessential uses. > > Coerced consent abdicates the responsibility of Congress to > establish protections for patient privacy. S.1921 turns the > responsibility over to health plans, employers, and providers. > This is a fundamental flaw in approach, and it will not further > patient privacy interests at all. In some ways, it is even a > step back from the current rules that afford few protections to > patients. > > Audit Trails - Suppose that health care information is > disclosed to an employer and shared by the employer with an > employee's supervisor. How can an employee find out that this > has occurred? Section 112 requires the maintenance of audit > trails. But the requirement only applies to EXTERNAL > disclosures. In the workplace, there is no way to learn if > records have been seen by any person who works for the entity > maintaining the record. In a hospital setting, this mean that if > a celebrity is admitted, the hospital need not keep track of any > hospital employee who looks at that celebrity's record. If the > record then becomes public, the celebrity will have no way to > document who saw the record. > > Law Enforcement - Those who follow health privacy issues > will recall that the proposal from the Secretary of Health and > Human Services was heavily criticized by some members of Congress > and in the press. The objection was that the proposal would > allow law enforcement access to and use of patient records > without any change from current practice. The Jeffords bill has > some features that represent a marginal improvement over the > Secretary's proposal. Nevertheless, the bill fails to > meaningfully restrict law enforcement access and use and adds a > new element that manages to produce a result even worse that the > Secretary's proposal. > > Section 210 permits disclosures for law enforcement > purposes. Disclosures pursuant to subpoenas and warrants require > probable cause to believe that the information sought is relevant > to a law enforcement inquiry. > > But Section 210(a)(3) allows disclosures in response to "a > request otherwise authorized by State or Federal law." This has > virtually no meaning. Law enforcement agencies will argue that > they are authorized to request any health record under their > general investigative authority. A law enforcement officer may > claim that he or she is entitled to enter any hospital and ask > for any patient record. Section 210(a)(3) authorizes the > hospital to make the disclosure. No process is required. There > is no probable cause requirement, no new standard, no new > procedure, or no notice to the patient. > > Section 210(f) includes language excluding from evidence any > information obtained unlawfully. This is, for the most part, > present law. However, because the bill makes it so easy to > obtain information without any standards or procedures under > > Section 210(a)(3), the exclusion has little effect. > > Further, it does little to protect patients. Consider a > patient whose physician is the target of a fraud investigation. > The patient's record is lawfully obtained by the law enforcement > > agency. The record is not excludable under the Jeffords > exclusionary rule. Anything that a patient tells a physician can > be used against the patient. The exclusionary rule affords no > real protection to any physician-patient communication. Because > federal law enforcement agencies have authority to obtain EVERY > health record in the country, every revelation by a patient to a > doctor may be accessed and used against the patient in all > circumstances. > > The worst new law enforcement feature of the Jeffords bill > is found in Section 215. Law enforcement officers who violate > the law would not be personally liable unless the violation was a > result of intentional conduct committed with the intent to sell, > transfer, or use information for commercial advantage, personal > gain, or malicious harm. A law enforcement official who > illegally and negligently disclosed health care records would not > be liable. An investigator who exposed millions of health > records to public view by negligently leaving the records in a > public file on the Internet would not be liable to anyone. No > other person who obtains health information under the bill would > be immune from responsibility for their conduct. > > ########################## ```

This web service brought to you by Somewhere.Com, LLC.