Recognize and Protect Americans’ Right to
Health Information Privacy in Health IT
By Prudence Gourguechon; MD
By Elizabeth Clark; PhD, ACSW, MPH
Dear President-elect Obama:
We look forward to your inauguration with the hope that you will restore the public’s trust in the nation’s institutions which has been so badly shaken by the failed policies of the Bush Administration over the past eight years. Nowhere is trust more important than in the delivery of quality health care and particularly for effective mental health care.
“Accordingly, we ask that you assure Americans that health information technology legislation under the Obama Administration will preserve and protect the patient’s right to health information privacy rather than erode or eliminate that right.”
We are encouraged that your nominee for DHHS Secretary, Senator Tom Daschle, has made prior statements reflecting support for the right to health information privacy in health IT legislation:
The issue of privacy touches virtually every American, often in extremely personal ways. Whether it is bank records or medical files or Internet activities, Americans have a right to expect that personal matters will be kept private. Today, in too many ways, however, our right to privacy is at risk. Our laws have not kept up with sweeping technological changes. As a result, some of our most sensitive, private matters end-up on databases that are then sold to the highest bidder. That is wrong, it’s dangerous, and it has to stop.[1]
We are further encouraged by the recent statements of Senate Majority Leader Reid and House Majority Leader Hoyer that Congress should get the items in the stimulus package right “the first time.”[2] In 2004, President Bush announced a goal of ensuring that most Americans health records would be accessible in an electronic health information system by 2014.[3] The Department of Health and Human Services has pushed to accomplish that goal while demonstrating little commitment to preserving the individual’s right to HI privacy.[4] HHS under the Bush Administration ignored the earlier HHS findings that strong privacy protections are essential if the full benefit of health IT is to be realized.[5] The Bush Administration “replaced” the individual’s right of consent for the disclosure of identifiable health information adopted in the HIPAA Privacy Rule by the Clinton Administration, with “regulatory permission” for millions of covered entities and their business associates to disclose identifiable health information without the individual’s consent and over his or her objection.[6] This policy reversal stripped Americans of their traditional health information privacy protection and essentially turned the HIPAA “Privacy” Rule into a disclosure rule.
In the past five years since the amended HIPAA Privacy Rule was put into effect, there have been more than 40,000 complaints of health information privacy violations of the HIPAA Privacy Rule, but HHS has not imposed a single civil penalty.[7] Since January 2005, the privacy of more than 42 million electronic health records has been breached or compromised.[8] Currently 250,000 Americans each year are victimized by health identity theft.[9] A recent HIT industry survey found that all of the electronic health information systems currently in use are “severely at risk of being hacked” and the health information stolen or altered.[10] According to Department of Justice figures, 67% of health care businesses that use health IT have been the victims of cybercrime resulting in the health IT systems of more than 80% of those businesses being down five hours or more at a cost of tens of thousands to hundreds of thousands of dollars. Health care businesses reported the greatest duration of downtime of any category of business.[11] Electronic data breaches increased by nearly 50% last year.[12]
It is, therefore, not surprising that nearly 70% of Americans have heard or read about medical records being lost or stolen, and most of those believe that computerized health records are the most vulnerable. Approximately, 21 million Americans believe their medical records already have been lost or stolen.[13]
Even the Bush Administration has conceded belatedly that privacy protections are essential for public acceptance of a health IT system and that those protections must include the right of the individual to make an “informed decision” about the collection, use and disclosure of individually identifiable health information.[14] HHS Secretary Leavitt recently stated, “Consumers shouldn’t be in a position to have to accept privacy risks they don’t want.”[15]
Other groups that have been hesitant in the past to support privacy protections have recently begun to acknowledge that health IT legislation must require privacy protections in the “forefront of all technological standards” and must assure the public that identifiable health information will be disclosed only with the patient’s consent.[16] Even the Department of Homeland Security has recently adopted Fair Information Privacy Practices consistent with the Privacy Act of 1974 that require individual consent for the collection, use, dissemination, and maintenance of personal information.[17]
There should be no question that Americans have a right to privacy for highly personal health information. The right to informational privacy was recognized by Congress as a “fundamental right” of all Americans protected by the Constitution in the Privacy Act of 1974 and by HHS under the Clinton Administration when it issued the original HIPAA Privacy Rule.[18] According to prevailing case law, the Constitutional right to privacy for highly personal health information is now so well established that no reasonable person could be unaware of it.[19] The right to health information privacy is also protected by the physician-patient privilege recognized in 43 states,[20] and the psychotherapist-patient privilege recognized in all 50 states, the District of Columbia and in Federal common law.[21] The right to privacy of personal information including health information is also protected by the tort law or statutory law of all 50 states,[22] and 10 states include a specific right to privacy in their state constitutions.[23]
HHS, under both the Bush and Clinton Administrations, has recognized that health information privacy is essential for quality health care because patients will not disclose information necessary for accurate diagnosis and treatment unless they are confident that their right to health information privacy will be protected.[24] The patient’s right of consent for the disclosure of identifiable health information is also a core element of the standards for the ethical practice of health care for virtually all health professionals.[25]
Accordingly, we ask that you take a truly patient-centered approach to health IT and that you ground a national electronic health information system in the core concept of professional ethics which provides that, where possible, informed consent will be obtained for the disclosure of an individual’s identifiable health information.[26]
We recommend that you adopt the patient-centered, ethics-based approach to health IT set forth in the TRUST Act (H.R. 5442) which was introduced by Congressman Ed Markey in the last Congress and was co-sponsored by former Congressman Rahm Emanuel, current Energy and Commerce Chairman Henry Waxman and 13 other House members.
The country needs a new direction in health information technology legislation that preserves and protects fundamental rights and acknowledges that, while health IT may provide benefits in the future, it also poses an immediate threat to the right to privacy that Americans cherish and expect.
With the greatest respect and hope for the future.
Prudence Gourguechon; MD
President
American Psychoanalytic Association
Elizabeth Clark; PhD, ACSW, MPH
Executive Director
National Association of Social Workers
For more information, contact:
James C. Pyles, Esq.
Powers Pyles Sutter & Verville, PC
1501 M Street, N.W., 7th Floor
Washington, D.C. 20005
202/466-6550
jim.pyles@ppsv.com
For the American Psychoanalytic Association
James K. Finley
750 First Street, N.E.
Suite 700
Washington, D.C. 20002
292.366-8315
jfinley@naswdc.org
For the National Association of Social
Workers
REFERENCES:
[1] Statement by Senator Tom Daschle on the establishment of the Congressional Privacy Caucus, Cong. Record-Senate, S11777 (Dec. 14, 2000).
[2] Top Democrats Give Longer Timetable for Stimulus Bill, The Washington Post, A2 (Jan. 5, 2009).
[4] Health Information Technology, Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy, GAO-07-988T, p. 3 (June 19, 2007); Health Information Technology, Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy, GAO-07-238, p. 4 (Jan. 10, 2007).
[5] 65 F.R. 82,466 (Dec. 28, 2000).
[6] Compare, “Our regulation will ensure that those consents cover the routine uses and disclosures of health information, and provide an opportunity for individuals to obtain further information and have further discussions, should they so desire.” 65 F.R. 82,474 (Dec. 28, 2000) with “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment and health care operations.” 67 F.R. 53,211 (Aug. 14, 2002).
[7] Health Information Privacy/Security Alert (Jan. 5, 2008).
[9] “Panel: Electronic Health Records May Save Money, But Can They Keep Information Safe?” CQ Healthbeat News (June 19, 2008).
[10] “Electronic Records at Risk of Being Hacked, Report Warns,” Search CIO.com (Sept. 19, 2007).
[11] Cybercrime Against Businesses, 2005, U.S. Dept. of Justice, Bureau of Justice Statistics, Special Report, pp. 6, 13, 16, 18-19 (Dec. 2008).
[12] Data Breaches Up Almost 50%, The Washington Post, D2 (Jan. 6, 2009).
[13] “Millions Believe Personal Medical Information has Been Lost or Stolen,” Harris Poll (July 15, 2008).
[15] HHS News Release (Dec. 15, 2008).
[18] Pub. L. 93-579, sec. 2(a)(4): “The Congress finds that the right to privacy is a personal and fundamental right protected by the Constitution of the United States.” “Privacy is a fundamental right.” 65 F.R. 82,464 (Dec. 28, 2000).
[19] Gruenke v. Seip, 225 F.3d 290, 302-03 (3rd Cir. 2000). See also, Sterling v. Borough of Minersville, 232 F.3d 190, 198 (3rd Cir. 2000).
[20] See, e.g., Northwest Mem. Hosp. v. Ashcroft, 362 F.3d 923 (7th Cir. 2004).
[21] Jaffee v. Redmond, 116 S.Ct. 1923 (1996).
[22] HHS Finding, 65 F.R. 82,464 (Dec. 28, 2000).
[23] Those states are Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington.
[24] National Privacy and Security Framework, p.1, Dept. of HHS (Dec. 15, 2008); 65 F.R. 82,468 (Dec. 28, 2000).
[25] Finding of National Committee on Vital and Health Statistics, report to Sec. Leavitt, p. 3 (June 22, 2006).
[26] American Medical Association policy, H-315.978 Privacy and Confidentiality, reaffirmed 2001.
Filed under: Breaking News, Ethics, Health Economics, Health Law & Policy, Information Technology, Op-Editorials, Quality Initiatives, Research & Development | Tagged: barack obama, DHS, Ed Markey, Elizabeth Clark, George Bush, Harry Reid, Henry Waxman, HIPAA, Privacy Act, Prudence Gourguechon, Rahm Emanuel, Tom Daschle, TRUST Act (H.R. 5442) | 12 Comments »