Search Terms: health information privacy, House or Senate or Joint
Document 40 of 45.
Copyright 1999
Federal News Service,
Inc.
Federal News Service
View Related Topics
APRIL
27, 1999, TUESDAY
SECTION:
IN THE NEWS
LENGTH:
2824 words
HEADLINE:
PREPARED STATEMENT OF
ROBYN S. SHAPIRO
ON BEHALF OF THE
AMERICAN BAR ASSOCIATION
BEFORE THE
SENATE
COMMITTEE ON HEALTH, EDUCATION, LABOR AND PENSIONS
SUBJECT - CONFIDENTIALITY OF MEDICAL INFORMATION
BODY:
Mr. Chairman and distinguished Committee members, thank you for this opportunity to present the views of the American Bar Association (ABA)/1 regarding legislation to protect the privacy of health care information, particularly as it affects law enforcement interests and needs.
ABA President Philip S. Anderson asked me to testify on his behalf today because of my longstanding involvement with health records privacy issues. I serve on the governing board of the ABA Section of Individual Rights and Responsibilities and previously was chair of the Section's Health Rights Committee. which originated the ABA's policies in this area. In addition, I am a professor of Bioethics at the Medical College of Wisconsin, Director of the College's Center for the Study of Bioethics. and a partner in the Health Law Practice Group of Michael Best & Friedrich LLP. a large law firm in Milwaukee. Much of my practice and academic work focuses on health records privacy concerns.
ABA Policy Regarding the Confidentiality of Health Care Information
The ABA has had policy addressing certain aspects of the privacy of health care information for several years. This past February, the ABA supplemented existing policy with an additional statement developed to address recent advances in genetic capabilities, the increasing prevalence of computerized health information, and the growing significance of disparities among state
health information privacy
laws. The ABA's most current health records policy was drafted only after thorough research of the issues and careful consideration of the opinions of experts in relevant fields. It was adopted by the House of Delegates. the ABA's policymaking body, after open debate on the issue.
The salient provisions of the ABA's policy (see attachment) affirm our strong support for federal legislation that would ensure that:
(1) Confidential, personally identifiable health information is not disclosed without informed, voluntary, written authorization except for specific and limited purposes--including when disclosure is necessary to comply with:
(a) a court order: (b) a proper discovery request or subpoena: or
(c) other constitutional request by a law enforcement or regulatory agency;
(2) Those who possess personally identifiable health information have a continuing obligation to refrain from misusing it: and
(3) Disclosures of personally identifiable health information are tracked, and
(4) Parties who violate the law knowingly or. in the case of corporate entities, with reckless disregard, are subject to meaningful penalties.
Of the three major
health information privacy
proposals currently under consideration by the Senate, S. 573, the "Medical Information Privacy and Security Act," is most consistent with these policy provisions. Specifically, in accordance with ABA policy, S. 573 would limit disclosure of health information to investigative or law enforcement officials to circumstances where disclosure is necessary to comply with:
(a) a warrant;
(b) a grand jury subpoena; or
(c) a court order, following proper notice, based on shorting probable cause to believe that: (i) the health information sought is relevant and material to an ongoing criminal investigation;
(ii) the needs of the officer cannot be satisfied by de-identified health information or an)' other information: and (iii) the law enforcement need for the information outweighs the privacy interest of the individual to whom the information pertains.
In addition, by prohibiting use of disclosed protected health information in subsequent, unrelated legal actions or investigations and by requiring the destruction or return of disclosed health information at the conclusion of the matter for which it was disclosed.
S. 573 accords with ABA policy provisions imposing upon those who possess health care information a continuing obligation to refrain from misusing it. Finally, the bill's provisions concerning the availability of criminal and civil penalties in individual causes of action satisfy ABA policy requirements for meaningful redress for violations of the law. We believe that by requiring that disclosure of health information occur only in appropriate and carefully controlled circumstances, these provisions strike an appropriate balance between the need to safeguard the privacy of health information and the need to facilitate legitimate law enforcement investigations.
The Need for Health Care Information Privacy
Health care information is uniquely sensitive and personal. Typically, patient records contain detailed information about the patient's history, of diseases, tests, treatments and medications; the patient's family members' medical history; any history of substance abuse or mental illness; the patient's dietary habits; the patient's employment status and income; and thehealth care provider's subjective impressions of the patient's character, personality and mental state.: With rapid advances in genetic capabilities, many patients' medical records now also contain genetic test and treatment information that often discloses not only probabilistic information about the patient's future, but also personal data about the patient's siblings, parents. and children. Unwarranted disclosure of health-related information can be devastating both to the patient and to others associated with that person. For example, genetic information about an individual is particularly susceptible to misuse because it can reveal medical facts about future health risks of the individual and the individual's relatives. Unauthorized disclosure of such information already has led to documented cases of discriminatory treatment by potential employers and insurers.
Equally important, however, disclosure can have significant public health consequences: individuals who fear that their privacy will not be respected/3 are less likely to discuss their conditions or risky behaviors candidly with their health care providers. In some instances, they may decide not to seek treatment at all and not to participate in clinical trials. They thereby increase the risks of misdiagnosis, inadequate care. and stymied medical research and deprive themselves--and all of us--of the benefits of both public health information and enhanced medical knowledge.
Disclosure of Health Care Information to Law Enforcement
Law enforcement agencies seek access to personally identifiable health information primarily for two purposes. First, prosecutors and agencies rely on individual patient records when investigating potential cases of fraud in the health care industry. Although the targets of fraud investigations usually are the health care providers and payors, investigators often review patient records to confirm the fraudulent activity. Second. law enforcement officials use health information to investigate specific individuals in matters unrelated to fraudulent activity.4
In some states, law enforcement officials are free to search through patients' medical records without any legal process at all. In other states, law enforcement officials use compulsory, process, in the form of a warrant or subpoena, to obtain patients' medical records.5 In the first instance, there clearly are no privacy protections for individuals' records; in states requiring warrants or subpoenas, the thresholds for obtaining the information vary considerably. For example, while some states require prior judicial approval for the issuance of certain subpoenas, others impose no such requirement. And at the federal level, an agent who seeks to obtain a grand jury. subpoena to access medical records need only convince a prosecutor that the information sought is relevant to the scope of a pending grand jury. investigation,6 a bar so low that it is not really a safeguard at all against inappropriate or unnecessary disclosure. In these circumstances, there is no judicial oversight unless the recipient of the subpoena refuses to disclose the information, in which case officials must seek a court order to compel disclosure. Even when such an order is required, however, protection is limited: if the subpoena has been served on a physician being investigated for fraud, for example, the physician's patients may not have the necessary standing to challenge the subpoena.7 And because grand jury subpoenas entail no notice requirements, the patient may never even become aware that law enforcement officials have obtained personal information from the physician.8
In cases where health care information is obtained pursuant to a subpoena, there is no guarantee that the information will be used only for the purpose for which it was obtained. Although evidence that is shown to a grand jury. is sealed for secrecy, information obtained but not shared with the grand jury is not sealed and could be used for other purposes.0 As early as 1977. the Privacy Protection Study Commission. recognizing this fundamental gap in privacy protection, concluded that the grand jury subpoena had become "little more than an administrative tool" by which law enforcement could access records without having to satisfy the search warrant probable cause standard.10 This criticism since has been echoed in. e.g.. Thurman v. Texas. 861 S.W. 2d 96. 101 (Tex App 1993), where the court stated, "The unrestricted use of grand jury subpoenas to obtain medical records is a serious threat to privacy. There is almost no limit on what can be obtained without the knowledge or approval of any court, any grand jury, ... or the person affected."
As you know, there is no comprehensive law that guards against these kinds of threats to individuals' privacy by providing significant protections for health-related information. Yet the need for such protections is evident to the medical community, the legal profession, and even the general public. Inappropriate and damaging access to information is being documented by the media. For example, in August 1998, The Washington Post reported that in Fairfax. Virginia. just outside our capital city, police investigating a car theft secured a warrant from a country magistrate to seize the medical records of 79 drug-treatment patients because they attended a clinic 200 yards from the location where the vehicle disappeared. The police gave no reason to suspect anyone connected with the clinic. In his affidavit requesting the warrant, the detective stated that obtaining the records was necessary because "(i)t is common for people who have addiction of various narcotics.., to engage in these kinds of criminal activities to support (their) drug addictions."11 Following the clinic's petition to the court for return of the records (but prior to court action on the matter), the police conceded that their search warrant was not appropriate. 12
The ABA of course recognizes that law enforcement agencies do need access to health record information in some circumstances and that obtaining such access should not be so burdensome that it thwarts legitimate investigations. However, we do not believe that the safeguards proposed in S. 573 or similar legislation would pose any such burden; on the contrary, they are necessary, to ensure minimum privacy protections for all.
Both the ABA policy and provisions of the "Medical Information Privacy and Security Act" outline ways in which any tension between the individual's fight to privacy and society's interest in effective law enforcement can be resolved through clear legislative delineation of l) the specific circumstances in which law enforcement officials may access protected health information; 2) the probable cause criteria and notice requirements for the issuance of court orders for disclosure of such information to law enforcement: 3) restrictions on use of such information for other law enforcement inquiries: 4) requirements for destruction or return of the information at the conclusion of the matter for which the information was disclosed: and 5) meaningful penalties for violations of the law. In fact, precedent for these sorts of restrictions already exist in other contexts. For example, current federal law requires a law enforcement agency to obtain a court order before accessing personally identifiable information concerning a cable television subscription, and such a court order may not issue unless officials establish by "clear and convincing" evidence that the information sought is material to the investigation for which the information is being sought.13 Surely, no one can disagree that the confidentiality of health-related information deserves at least as much protection as our choices in television viewing.
Indeed, the intimate nature of health records information and the potential ramifications of its misuse require a special response in the law. In this area, it is simply not enough to impose penalties for misuse of health information by law enforcement. First, it is unlikely that punishment -- always administered after the fact -- will reassure the public that unlawful access to or use of information won't occur again. As noted by Dr. Marcia Goin. Clinical Professor of Psychiatry at the University of Southern California School of Medicine, "People don't feel safe in their homes (just) because their state has enacted the death penalty. Similarly, public trust in protection of medical information privacy will not be supported by the enactment of harsh punishments for the misuse of patient information."14 More important, however, protection of such information should be affirmative, proactive, and as comprehensive as possible to ensure that inappropriate access or use is unlikely in the first instance.
Conclusion
Protecting the confidentiality of personally identifiable health information is critical to safeguarding the trust in the patient- physician relationship and promoting the public's trust in our country's health care deliver' system. Federal legislation that establishes a uniform, minimum national standard for privacy and confidentiality of health information is essential to accomplish that objective. This standard must guard appropriately against law enforcement agencies' overbroad access to health information while taking into account their need for access in accordance with established processes and constitutional guarantees. In the end. any system that fails to assure such protection will undermine the public's trust and thereby fail to maintain public's support. Such failure will create the unacceptable risk that we, as individuals, will withdraw from full and honest participation in our own health care decisionmaking.
FOOTNOTES:
1 The ABA. the world's largest professional organization, with more than 400,000 members, is the national representative of the legal profession, serving the public and the profession by promoting justice, professional excellence, and respect for the law. The Section of Individual Rights and Responsibilities focuses on civil rights, civil liberties, and human rights concerns.
2 See Office of Technology Assessment, "Protecting Privacy in Computerized Medical Information" (1993).
3 Surveys consistently indicate that Americans are worried about access to and use of personal information by others, and that the privacy of health-related information is of particular concern. See Equifax/Harris Consumer Privacy Study (1995), in which 80% of respondents said that "consumers have lost all control over how personal information about them is circulated and used by companies" and Equifax/Harris Health Care Information Privacy Survey (1993), in which 85% of the respondents said that the confidentiality of health data is "absolutely essential" or "very important."
4 See Barefoot, B., "Enacting a Health Information Confidentiality. Law: Can Congress Beat the Deadline?" 77 N.C. L. Rev. 283, 341 (1998), citing Robert S. Lit't, Deputy Assistant Attorney General, Testimony on Behalf of the U.S. Dept. of Justice Before the Subcommittee on Privacy and Confidentiality of the Nat'l Comm. on Vital and Health Statistics 10 (Feb. 18, 1997).
5 Id.
6 Id.
7 United States v. Miller, 425 U.S. 435 (1976) suggests that courts may be reluctant to recognize individuals' protected interest in information about them held by a third party.
8 See Privacy Protection Study Commission, "Personal Privacy in an Information Society" 282, 366 (1977).
9 See Barefoot. supra n. 4 at 341, citing Privacy Commission, id., and Litt Testimony, supra n. 4.
10 See Privacy Commission, supra n. 8 at 377.
11 Masters, B., "Fairfax Police Criticized for Seizing Clinic Files," The Washington Post, Aug. 28, 1998.
12 Masters, B., "Fairfax Police Concede Seizure Was Wrong", The Washington Post, Sept. 1, 1998.
13See 47 U.S.C. Section 551 (h) (1994).
14 Skolnick AA, "Opposition to law officers having unfettered access to medical records," JAMA, 279 (4): 257-9, Jan. 28, 1998.
END
LOAD-DATE:
April 28, 1999
Document 40 of 45.
Search Terms: health information privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.