Date: Thu, 5 Apr 2001 19:17:10 -0400 From: freematt@coil.com (Matthew Gaylor) Subject: Professor Swire's Response RE: DefendYourPrivacy.com To: freematt@coil.com (Matthew Gaylor)
From: "Peter Swire" <swire.1@osu.edu> Subject: RE: DefendYourPrivacy.com: Just the Facts, mam! Date: Thu, 5 Apr 2001 12:04:14 -0400
I will try to address the points in order. My focus in each case is on what the rule says, not on what others have claimed it says. Then each reader can try to decide for him/her self what the rule would really do.
(1) Make the rule simple. Mr. Getz says if we want to protect privacy, "the task could be accomplished in one sentence: "Any individual or entity that knowingly accesses or disseminates any other individual's medical records without their consent shall be fined not more than $10,000, sentenced the three years in prison, or both." (or whatever.) Here are a few scenarios, just as illustrations, where requiring consent would cause problems: (1) The patient is in a coma. (2) The patient has a highly contagious disease, which is being tracked by public health authorities to prevent the spread of an epidemic. (3) The police have a valid search warrant for the records. (4) The patient gave consent to one doctor, but a different doctor (radiologist) is called in for consultation without getting a new consent. (4) The doctor sent the record to an insurance company for payment. (5) The doctor's office has its routine audit, by a CPA or an accrediting organization or Medicare, to ensure that the records are in order and there is no fraud. (6) The doctor turns over the record to her lawyer in defending a malpractice claim. (7)A judge requires the doctor to turn over the records to all the litigants in the court suit. (8) The record is being used for important medical research, and the patient's consent cannot easily be obtained (for instance because the patient is dead or has moved away and there is no representative of the patient that can be easily cotacted). (9) And so on -- this list took about two minutes to write. For each situation, Mr. Getz may say that we should write a sensible rule (or have common law judges apply sensible rules) to permit the use. Or he may object to some of the uses (I doubt he objects to all of them). Well, the HHS rule was the result of a public notice and comment process to try to figure out a good approach to each of these situations and many more. Imagine the outrage if we had promulgated Mr. Getz's one sentence rule and then all the users of the records had explained the problems.
(2) Marketing provision. I discuss this topic in my comments to HHS. Available at www.osu.edu/units/law/swire.htm.
(3) The worldnetdaily.com statement: "Any government agent claiming a 'national priority purpose' can poke around in your most private medical details. In many cases, the government can then release your personal medical information from government files without anybody having to ask your permission." I discuss the "national priority purpose" provision in my comments, and explain there the legal reasons why this sort of release would not be lawful under the rule.
(4) Public health release. There is a very long history in this country of releasing certain records to public health authorities. Stopping contagious disease is an important goal, and it would have been very controversial, to say the least, if the rule had prohibited all sharing of information with public health authorities. That said, there is a legitimate point that the new rule does not put new restrictions on the way records are handled by public health authorities once they are received. There is also a simple reason why the rule does not do so -- the HIPAA statute did not give HHS any authority to impose those restrictions on public health authorities. The Clinton Administration consistently has said that this is one of the ways that the statute should be fixed. We testified in Congress on this, and I would welcome any alliance that says that more attention should be paid to ensuring that records given to public health agencies should be handled in a confidential way.
(5) Unique health identifier. In 1998 the Clinton Administration said it would not implement the unique health identifier for individuals. Congress agreed, implementing a rider confirming the Administration policy that no HHS funds should be used to develop it. Note that there are unique health identifiers for hospital, insurers, and doctors, which is a system designed to have accurate payments in the medical system. But that's a different "health identifer" on businesses and professionals, not on patients. It would take a new decision by the new Administration before there is any unique health identifier for patients.
(6) Rep. Paul's office. I wrote detailed comments to the Congressman's office in response to his statement. A staffer asked for follow-up information by email, but I am not aware of any subsequent statement by his ffice.
I have tried here to respond concisely and factually to each point in Mr. Getz's email. If there is interest, I would be willing to have continued written exchanges on the issue, or have a public discussion. I am in DC the latter half of each week in April and full-time after May 1. I, too, want "Just the Facts, mam" because this is an important matter where being clear on the issues should help the debate.
Peter Swire
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues Send a blank message to: freematt@coil.com with the words subscribe FA on the subject line. List is private and moderated (7-30 messages per week) Matthew Gaylor, 2175 Bayfield Drive, Columbus, OH 43229 (614) 313-5722 ICQ: 106212065 Archived at http://groups.yahoo.com/group/fa/