Proposed Medical Records Privacy Rule: Comments to the Department of Health and Human Services

Advocacy Comments

Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
U.S. Dept. of Health and Human Services
Hubert H. Humphrey Building
200 Independence Ave. SW
Washington, DC 20201

Sent Via Overnight Delivery


Re: Comments on Proposed Federal Rule for Privacy of Individually Identifiable Health Information -- RIN 0991-AB08


Dear Assistant Secretary:


Thank you for the opportunity to comment on the Proposed Federal Rule for Privacy of Individually Identifiable Health Information.


The proposed rule takes some important steps forward by requiring implementation of fair information practices nationwide. Key among these privacy principles are the provision that healthcare providers offer individuals access to their medical records, and the requirement that individuals be given notice of their access and privacy rights.


Even though the proposed rule lays the foundation for the implementation of fair information principles, it takes several steps backward and gravely endangers patient privacy in a number of areas, explained below. Because of the significant shortcomings of the proposed rule, in addition to the relatively limited opportunity for individuals to have been apprised of and comment on the rule, the Privacy Rights Clearinghouse recommends that the proposed rule be withdrawn and redrafted. Individuals must be given more opportunity to comment on such important and far-reaching regulations. Further, Congress must act to strengthen health privacy law in a number of areas not addressed by this proposed rule and its underlying statute, the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer information and advocacy program based in San Diego, California. It was established in 1992. The PRC operates a hotline and information service on practical ways individuals can safeguard their personal information ( The definition of privacy that the PRC uses is the ability of the individual to control what is done with his/her personal information.


In the following comments, the Privacy Rights Clearinghouse highlights the provisions of the proposed rule that are of most concern to us. We generally support and have signed onto the Comments of the Health Privacy Project of the Institute for Health Care Research and Policy at Georgetown University, as well as the Comments of the Electronic Frontier Foundation.



The Department of Health and Human Services (HHS) consulted with numerous federal agencies, government-related groups, and business interests in preparing these standards. But based on the information provided in the Proposed Rule Making, it doesn't appear that the HHS consulted with patient and consumer organizations to any great extent. [Federal Register 64:212, Nov. 3, 1999, p. 59922]


Recently, HHS rejected nearly 2,500 faxed Comments from individuals throughout the U.S. who had attempted to weigh in with their opinions on the proposed rule, a process that was facilitated by the ACLU. Individuals were instead directed to use the Department's web-based Comment filing service, or to mail them to HHS by the deadline date. Unfortunately, the web-based system is unwieldy and difficult to use, a significant barrier to participation in the Comments process. In addition, the filing instructions are complicated and not conducive to encouraging Comments from members of the general public.


We are critical that HHS has invited only limited input from individuals and from organizations that represent consumers of healthcare services. Unfortunately, the resulting proposed rule gives higher priority to the needs and interests of industry and of government, including law enforcement.


We recommend that the deadline for filing Comments be extended and that the instructions be simplified in order to encourage broader consumer input. It is individuals whose health information is at risk for improper and unnecessary disclosure. Therefore, such individuals and those who represent them must be able to participate in this public policy process.

The consequences of not drafting regulations that give high priority to the protection of individuals' health information are significant. There are numerous ways in which individuals can be disadvantaged when sensitive medical information is improperly disclosed B in employment opportunities, financial offerings, family relations, social standing, and the ability to obtain housing, to name a few.


A further consequence of the adoption of the proposed rule without taking into account the needs of individuals is that individuals are likely to avoid treatment altogether in order to prevent health information from being obtained and ultimately disclosed broadly. The long-term public health impact could well be severe.



Section 160.101 Statutory basis and purpose.



The purpose of the regulations is specified as the promotion of Aadministrative simplification. We recommend that the purpose be expanded to include the protection of the rights of individuals in their personally identifiable health information. The interests of individuals to control their medical records should be paramount in the establishment of these standards.



Section 164.502 Applicability.

We recognize that the applicability of these standards is limited by statute, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Unfortunately, the regulations are limited to health plans, health care clearinghouses and certain health care providers. Those entities not covered include life insurance issuers, employers, marketing firms, as well as administrative, legal, accounting and similar services. The draft regulation is also limited to electronic records, not to paper-based records.


It is important that Congress pass a comprehensive health privacy law to cover all entities that generate, maintain, disclose and/or receive individuals' health information. Such a law must also encompass paper-based records. In the meantime, the Secretary of HHS can promulgate regulations that expand the scope of entities covered and that apply to all health information, whether electronic or paper.



Section 164.506 Uses and disclosures of protected health information: general rules.

The proposed rule allows the disclosure of health information without explicit consent for the ill-defined categories of treatment, payment, and health care operations. We recommend that these categories be more narrowly defined and that individuals be given expanded ability to control the flow of their health information.


While HHS is to be commend for limiting access to psychotherapy notes without the individual's consent, related medical information would not be restricted in that manner. These shortcomings are likely to have the unintended consequence of discouraging individuals from seeking psychotherapy.


It further appears that the proposed rule contains a loophole in regard to psychotherapy notes. The limitations on the disclosure of such notes should be in effect throughout the rule, not simply limited to the section on treatment, payment, and health care operations.


Authorizations should be limited in time and scope. The proposed rule must be re-written to prohibit overly broad authorizations.


The definition of "treatment" includes disease management programs. There are many types of disease management programs, including those sponsored by employers. The definition should be amended to ensure that such programs are only conducted with the authorization of the treating physician. Further, the definition should be written to prohibit marketing uses of disease management information.


We recommend that the rule be revised to more strongly discourage the use of identifiable patient information when de-identified information could just as well be used.



Section 164.506(b)(1) Standard: minimum necessary.

A common complaint of individuals who contact the PRC hotline regarding medical privacy violations is that the healthcare provider or billing entity disclosed much more information than needed for that situation. For example, a medical office photocopied all records of a patient and gave them to the insurance agency, when the only records required were those dealing with the individual's broken arm suffered in an automobile accident.


We recall another case in which a medical office disclosed the entire record when subpoenaed for a court case, even though the subpoena clearly limited the information it sought. We recommend that this section of the proposed rule be strengthened to prevent such situations. It is especially critical that law enforcement be held to the minimum necessary standard.



Section 164.506(c) Standard: right of an individual to restrict uses and disclosures.

The proposed rule appears to give individuals a token right to restrict uses and disclosures of their health information: individuals can request that the disclosure of their information be restricted, rather than simply having the right to disclose. There are specific situations where making a request is not sufficient. For example, victims of domestic abuse and stalking must be assured that the perpetrator is not be able to determine her residential address from her health records. The proposed rule needs to be rewritten to strengthen the right of individuals to restrict disclosure in situations such as these.


Another situation in which individuals require a stronger right to restrict disclosure is when they choose to pay for healthcare themselves. The PRC has been contacted by individuals who want to self-pay so the insurance company or employer (sometimes they are one and the same) does not have access to sensitive medical information. A new provision should be added to the rule to enable self-paying individuals to restrict disclosure. We encourage you to adopt the approach of the medical records privacy law of Hawaii, described in the Comments of the Georgetown University Health Privacy Project (p. 29).


The provisions that we recommend here regarding restricting disclosure should pertain to all covered entities -- not only health providers but also health plans. There appears to be a loophole in the proposed rule that limits compliance to the original health care provider. Any entity that receives information regarding the restriction of disclose must comply.



Section 164.506(f) Standard: deceased individuals.

The proposed rule states that restrictions on releasing the health information of deceased persons be lifted two years after the date of death. There may be a number of reasons why family members would consider this to be an insufficient period of time. We recommend that the proposed rule be revised to omit any reference to time period. Instead the rule should specify situations under which such information could be released, for example, to a family member who has a legitimate health-related reason for accessing such information.



Section 164.506 Uses and disclosures of protected health information: general rules.

It is estimated that at least half of all employers sponsor their own health plans for their employees and families. The PRC has received numerous complaints from individuals whose health privacy has been violated in the workplace. The proposed rule should be clarified with respect to such employment-based health plants. There must be an effective "fire wall" established in the workplace to protect sensitive health information from disclosure to those without a legitimate need to know.



Section 164.508 Uses and disclosures for which individual authorization is required.

We stated above that health care providers should not be given carte blanche authority to disclose health information for purposes of treatment, payments, or operations without specific authorization from the individual. We support the requirement in the proposed rule that authorization be obtained for any disclosures not directly related to treatment, payment, or operations. Purpose specification must be a part of such authorizations. This is particularly important for information involving sensitive health conditions.


It is vitally important that such consent be voluntary and that it not be tied to the delivery of care. The PRC has received several complaints from individuals who, when they 'customized' an overly broad authorization form to cover the specific matter at hand, were denied service. Such coercion must be prohibited.



Section 164.510(c) Disclosures and uses for health oversight activities.

This section needs to be more narrowly written, in particular to prohibit the re-use and re-disclosure of protected health information in actions against individuals. Officials engaged in oversight functions -- for example, to investigate fraud -- have a valid reason to gain access to identifiable health records. But their access should not result in law enforcement officials gaining access without proper court-ordered warrants.



Section 164.510(d) Disclosures and uses for judicial and administrative proceedings.

This section needs to be strengthened to require disclosure to individuals whose health records are potentially disclosed based solely on a letter from an attorney involved in a law suit. It is a well-known ploy in such proceedings that the plaintiff is discouraged from suing because the defendant's attorney threatens to bring sensitive and unrelated medical conditions into the proceedings. It is imperative that the individual whose medical information is subpoenaed be given the opportunity to object to and/or limit the disclosure. Court orders must likewise be able to be limited as to content and recipient(s) of the information.



Section 164.510(f) Disclosures for law enforcement purposes.

The proposed rule's limits on law enforcement access to health information are not sufficient. Such officials must be required to obtain legal process issued by a neutral magistrate. The judge must apply a strong legal standard when considering the request.


It is ironic that existing federal privacy statutes contain stronger privacy protections vis-a-vis law enforcement access than the proposed rule on health information. Examples are the Cable Communications Policy Act and the Video Privacy Protection Act. The rule is sufficiently vague that a police officer could conceivably obtain protected health information by showing a badge and making a verbal request.


It is imperative that this section be redrafted to require proper and stringent judicial review. This recommendation is a high priority for the PRC.



Section 164.510(g) Disclosures and uses for governmental health data systems.

The PRC considers the creation of governmental health data systems to be among the most troubling provisions of the proposed rule. The rationale for developing such data bases is not adequately justified. Nor are the restrictions on who can gain access to these data bases well defined. It appears that federal and state government agencies with limited or no health-related functions could obtain information from such health data systems. For example, law enforcement could easily obtain access to health information contained in these data bases by simply making a case that such access 'supports policy, planning, regulatory and management functions.' [p. 59964] To make matters worse, this provision of the proposed rule is not even covered by the very same fair information principles that are required that health providers give to their patients.


The PRC deviates from the Comments of the Georgetown University Health Privacy Project on this provision in the proposed rule. We believe the development of governmental health data systems should be abandoned. The potentials for abuse of such massive cradle-to-grave data bases are too strong. Congress must act to overturn this provision.



Section 164.512 Notice to individuals of information practices.
Section. 164.520 Documentation of policies and procedures.


Individuals cannot make informed decisions about the disposition of their health information unless that are aware of and understand the collection and disclosure policies of their health care providers. We are pleased that this provision is a key part of the proposed rule. It can be strengthened in a number of ways: (1) To ensure that individuals have read the notice, health providers should obtain a signed acknowledgment to that effect. (2) If a significant percent of an entity's clientele speak languages other than English, the notice should be translated into those languages. (3) Covered entities are given too much flexibility in changing the text of notices before informing their clientele of those changes. This needs to be tightened. (4) It is well-known that notices of many kinds are buried in 'fine print' and are rarely read. Because of the importance of notices related to the privacy of one's medical records, we recommend that wording be placed prominently at the top of the notice alerting the individual to the contents and significance of the notice.



Section 164.514 Access of individuals to protected health information.

The access provision, like notice, is one of the strongest sections of the proposed rule. The rule gives individuals the right to see, copy and correct their medical information. Access should not hinge on whether or not one's bills are paid in full, and the proposed rule should make this explicit.


In cases of denials, the proposed rule should specify that the denial comes from a health care professional with expertise in the specific medical topic that the records cover. The denied individual should have the right to request review of the denial by another qualified health professional with appropriate expertise. Such provisions will ensure that the reason for the denial is well-founded.


It is common that health care services are far-flung these days. The health care provider should be able to inform patients where specific records can be obtained.


The PRC has received numerous complaints from individuals whose doctors have retired, died, or moved to another city. They have not been able to locate that individual in order to retrieve their health records. In situations where the doctor leaves practice or moves, the patients should be informed of that matter and informed about how to obtain their records.



Section 164.515 Accounting for disclosures of protected health information.

The PRC has received numerous complaints from individuals who claim their medical records have been obtained by individuals who do not have a legitimate right of access. We have received similar complaints about individuals who have accessed and then disclosed health information to those who have no legitimate right to know such information (for example, the 'town gossip').


One of the benefits of electronic records is that complete audit trails can easily be built into the automated record-keeping system. The presence of such systems serves as an effective deterrent to unauthorized access and disclosure. We have been told of numerous cases where a dishonest or unethical 'insider' has gained access to medical information for the purpose of then disclosing it to those who do not have a right to know.


The proposed rule should be strengthened to allow individuals access to the full audit trail, not just to a portion. The audit trail of access to information related to treatment, payment and operations should be just as accessible as the audit trail for other uses.



Section 164.516 Amendment and correction.

Another of the fair information principles that the proposed rule establishes is that of correction or amendment of erroneous information. Unfortunately, the proposed rule allows the covered entity to deny an individual's request for correction or amendment, especially when those records were created by another entity. This should be reversed. Doctors may retire or die. Health care providers may go out of business.


The PRC has received complaints from individuals who have disagreed with the information placed into the medical file by the doctor. Such individuals should have the ability to place an explanatory statement in the file, as well as to know if the doctor responds with a rebuttal, and be able to obtain a copy of that rebuttal.



Sections 160.201, 160.202, 160.203 Respectively, Applicability, Definitions, General rule and exceptions.

We are pleased that HIPAA and the proposed rule have established that these regulations serve as a floor for the states, but not a ceiling. But the provision that enables states to request a waiver in order to allow a weaker state statute should be restricted significantly, or removed altogether (160.203).



We recognize that HIPAA did not address a private right of action in order that individuals might enforce these regulations. This is a significant omission. Congress must act to give individuals such a right. These regulations are virtually meaningless without it.


Again, thank you for the opportunity to present our Comments on the proposed rule. Feel free to contact me if you need clarification.




Beth Givens
Privacy Rights Clearinghouse