REMARKS BY: 	DONNA E. SHALALA, SECRETARY OF HEALTH AND HUMAN SERVICES 
PLACE:		Harper Fellow Lecture, Yale University School of Law, New Haven Connecticut
DATE:		October 7, 1999

Medical Privacy In Post-Industrial America


Thank you that gracious introduction - and for inviting me to present the Harper Fellow Lecture this afternoon. As a number of you know, I'm not trained as an attorney; my academic background is in political science. That makes little difference at the Yale Law School. I actually taught a course here in the 1970s on urban finance. In addition, as HHS Secretary, hardly a day goes by that I'm not talking to; taking advice from; or sharing a bottle of aspirin with - a lawyer. The fact is I'm sued thousands of times every year -- and the Supreme Court always seems to be reviewing a case where my name figures rather prominently. And, over the years, I've noticed that a good number of the attorneys I've had the opportunity to work with on these cases were trained here at Yale.

Arthur Wellesley, the Duke of Wellington, once observed that "the battle of Waterloo was won on the playing fields of Eton." Well, after my time in the Cabinet, I'm convinced that many of the laws and policies that will guide America in the next century are being crafted in New Haven today.

Sure, it's the lectures and classes you attend, but, perhaps even more, it's the conversations you might have over a slice at Pepe's or Sally's Pizza. Of course, that's the most exciting thing about being part of any community of scholars, but it's something that's always been a particularly important aspect to life here at Yale. I think it's part of what made it one of the first schools to grasp that an interdisciplinary approach is essential for the law to respond to the challenges of modern society.

After all, it was Yale lawyers who helped FDR guide the New Deal. And much as attorneys trained here helped shape America as an industrial democracy, I'm convinced you can help America respond to the new challenges we're facing as a post-industrial democracy.

Today, we're a nation that produces less steel, but more science. A nation that exports less coal, but more information. The number of jobs requiring science or engineering expertise is growing three times faster than other occupations. It's the post-industrial revolution . . .and nowhere is this transformation more stunning than in the growth of medicine -- now one-seventh of our economy. When I was growing up in Cleveland, for example, the local economy rested on heavy industry. Well, today, the largest employer in town is the Cleveland Clinic: one of the most technologically advanced health care providers anywhere.

Fueled by scientific research, American medicine is becoming to the world of the 21st century, what American manufacturing was to the world of the 20th. And, with this incredible growth, the healing arts - and the legal arts - are now intertwined as never before. And they are certain to become more so. From food safety to managed care to clinical research - law and regulation are struggling to keep a rapidly changing health care system from becoming a runaway train. Yes, we want to continue the spectacular advancements in how medicine is practiced and delivered. But, at the same time, we don't want our science to ever get ahead of our ethics. And there's no shortage of examples of how the new world of high-tech medicine under some circumstances could do just that.

For example, in the current edition of Commentary, Leon Kass of the American Enterprise Institute writes that, despite the proven value of genetic technology in fighting disease, some could potentially misuse it. Quoting C.S. Lewis, Kass warns that "each new power won by man is a power over man," and that "each advance leaves him weaker as well as stronger." Though I tend to be a bit more optimistic than Professor Kass, I do want to address one area where the potential for abuse -- and the need for regulation -- is already manifest. And that's the issue of medical privacy.

As you know, in his historic Olmstead dissent, Justice Brandeis wrote that the framers, "conferred, as against the Government, the right to be left alone - the most comprehensive of rights and the right most valued by civilized men." To which I would add: "and women." At the time, Brandeis was referring specifically to government interference with privacy. But this broad statement of policy could easily cover both public and private sector intrusion into our personal lives. It was an intrusion he saw the judiciary unwilling to address.

Years earlier Brandeis spoke to this failure in an 1890 Harvard Law Review article when he asked the question "shall the courts thus close the front entrance to the constituted authority and open wide the back door to idle or prurient curiosity?" At the time, Brandeis was chiefly concerned with the practices of newspapers. Given that we now live in a world of microprocessors, 20 gigabyte hard drives and the Internet, it would be fascinating to ask Brandeis his opinion about the minefield of potential privacy threats that confront us today.

I think if Brandeis were alive today, though, he might agree that while today's technology is far more sophisticated than anything that could have been imagined in his day, that human nature has hardly advanced at all. He might also agree that, even in this age, technology can remain our servant, but only if we build the necessary safeguards. Safeguards that preserve our uniquely American belief in the right to privacy. And, I submit that begins with guaranteeing the privacy of our medical records.

Let me take a poll. How many of you have rented a videotape this year? Well, you may not realize it, but there is a federal law that protects the privacy of your videotape rentals. It's true: a Blockbuster video card guarantees you more privacy than your health insurance card. If you like Denzel Washington better than Bruce Willis, or Gwynneth Paltrow better than Sandra Bullock, that information is protected by law.

But if you have a family history of breast cancer. If you've had an abortion. If you've been prescribed anti-depressant drugs. Or if you've tested positive for HIV. There is no federal law telling health care professionals and payers what they can - and cannot - do with that information. And that means the potential for abuse is enormous. Especially when you consider that, today, we not only have a burgeoning volume of health care records, but a system where information can be sent instantaneously through hospitals and doctors' offices, across state lines - and even international borders.

Even more, we live in a time when some Americans sign blanket consent forms to have their records released for fear that refusing to will prevent them from getting the services they need.

We have abuse. And we have fear of abuse. But what we don't have are national standards for protecting the privacy of our medical records. And that must change. The bottom line is that in a post-industrial democracy, protection of medical histories must be sacrosanct. That must be true no matter where you live, and no matter who pays for your care.

That's why President Clinton called on Congress to pass legislation this year to protect the privacy of medical records. We pointed out that, if we don't act now, public distrust could deepen to the point where citizens stop disclosing vital information to their physicians. That could easily result in Americans going without needed treatment for mental illness. Or avoiding certain diagnostic procedures. It could even lead to patients refusing to take part in clinical research trials.

A national survey released earlier this year reported that one-sixth of respondents indicated that, on their own, they had taken some form of action to avoid the misuse of their personal health information. What did they do? They said they provided inaccurate information. They changed doctors frequently. And, simply to avoid abuse of information, some reported they failed to seek care entirely.

Under the Health Insurance Portability and Accountability Act - also known as the Kassebaum-Kennedy law - Congress had until August to address these issues and pass a comprehensive medical privacy bill. Well, Congress did not meet its deadline. Although, as I just said, we are still encouraging them to act.

However, Kassebaum-Kennedy did give me limited authority to act if Congress wouldn't. That's why we're drafting regulations to be released this fall. But the authority I have under Kassebaum-Kennedy isn't comprehensive. That's why, no matter what we do in this Administration, we know it will still be up to Congress to finish the job and create lasting legal protections for the privacy of medical records in all their forms.

What do I mean by lasting legal protections? Let me describe the five key principles that guided our thinking.

Principle One: Boundaries.

With only limited exceptions, a health care consumer's personal information should be disclosed for health care and health care only. For example, we recommend that a hospital be able to use personal health information to teach, train, conduct research, provide care, and ensure quality. We believe that employers who get health care information to pay claims must never use that information for non-health purposes like hiring, firing and promotions. The same goes for third parties that are hired to do billing and other services. Even if they don't collect this information, they must protect it.

The second principle is security.

When Americans reveal their personal health information, they should know they're leaving it in safe hands. If we are going to guarantee its safety, Congress must pass a law that says: If you receive health information legally, then you must take real steps to keep that information out of the wrong hands.

Principle Three: Consumer Control.

Individuals should never have to trade in their right to privacy to enjoy their right to quality health care. That's why we recommend that Americans be given the power to ask the right questions: Who's looking at my records? What's in them? How do I get them? How can I change incorrect information? Let me give you an example of why this is important. A physician in private practice was having trouble getting health, disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau - a clearinghouse used by many insurance companies. The report included information about her heart problems and her Alzheimer's disease. There was only one problem. None of it was true. That's why consumers must be able to know - and control - what is in their medical records.

Our fourth principle is accountability.

If you're using medical information improperly, you should be severely punished. For example, we believe in voluntary AIDS testing. But we know people will avoid being tested if they don't think their records are secure. And one important way to make sure they are secure is to have stiff penalties. As for people living with HIV/AIDS, they don't just worry about their health. They also worry that information about their health could result in discrimination in jobs and health insurance. That's why we are also fighting to enforce the Americans with Disabilities Act. And that's why we continue to support ending genetic discrimination in health insurance. But, as we work to protect Americans' privacy, we must recognize that we have other critical - and sometimes competing - goals.

Which brings me to Principle Five: Public Responsibility.

Just like free speech rights, privacy rights can never be absolute. We must balance our protection of privacy with our public responsibility to support other national priorities. For example, public health agencies use health records to warn us about - and protect us from - outbreaks of infectious diseases. Law enforcement agencies also need medical information to root out fraudulent practices by health care providers. I'm not arguing for a free pass for research or law enforcement. But I am arguing for balance and reasonable safeguards. That's important - not only to protect privacy, but for less obvious reasons too. For example, protecting normal trade relations. Under the European Union's Privacy Directive, if we don't protect health records soon, we might lose the right to share valuable research data with Europe.

All five of these principles are important. That's why each day we must insist that Congress pass a comprehensive medical privacy and confidentiality law. But let me be clear: we will move forward with regulations - not only because the law requires us to, but because it is the right thing to do. This isn't to say it won't be challenging.

Since I'm talking to an audience that includes many future lawyers, let me share with you just a few of the unanswered questions surrounding enforcement of a strong privacy law. I'll use what I call "Socratic method lite." I'll ask questions, but I won't call on anyone for the answers. Question: Should auditors be allowed to examine your medical records looking for fraud committed by a doctor? Most people would say, yes. But, suppose law enforcement officers are looking through insurance records for fraud and stumble upon evidence of an unrelated crime - say drug use. What then? Similarly, what happens if researchers stumble upon information about someone who may have exposed you to HIV? Is their obligation to your safety? Or the other person's privacy?

What happens if drug companies find out that you suffer from heart disease and start sending you information about a new treatment? Is that helpful or offensive? Does your answer change if the disease is depression? What about sexually transmitted diseases?

These are tough questions and they are not going away. That's why we need to be flexible. We need to be open to all views. And we need a national commitment from government, the health care industry, consumers - and the legal profession - to find the right answers. Answers that make sure health care information is secure. That those who fail to protect it are held accountable. That each of us retains control over our health information. And that we figure out how to balance the use of our health information with other core public responsibilities.

Two days ago marked the 58th anniversary of Louis Brandeis' death. At the time of his passing, one of his daughters --Elizabeth Raushenbush -- told a friend of hers: "Father was quite ready to go. He felt he had lived to the full and that others must now carry on the work he had attempted." As we enter this remarkable post-industrial era, I think it's up to all of us to make it our personal business to fulfill Brandeis' mission. Because as he warned us so many years ago: "The greatest dangers to liberty lurk in insidious encroachment by men of zeal -- well meaning, but without understanding."

Can we have public service and privacy in a post-industrial democracy? I'm convinced we can . . . and that we must. But, again, that can begin only by recognizing that even though technology can be improved and even perfected, human nature will never be so flawless.

Thank you.

###