Comments of the World Privacy Forum FR Doc. 05-19788
November 1, 2005
Office of the Assistant Secretary for Planning and Evaluation
Department of Health and Human Services
200 Independence Avenue, SW. Washington, DC 20201
Pursuant to the notice published in the Federal Register on October 4, 2005 regarding Recommendations for Regulatory Reform, the World Privacy Forum submits the following comments. 
The World Privacy Forum (WPF) is a non-profit, non-partisan public interest research organization.  The WPF focuses on in-depth research and analysis of technologies and their impacts, with a particular view to the privacy and security implications of emerging and maturing technologies and data infrastructures, including medical technologies and infrastructures.
The October 4 notice (FR Doc. 05-19788) relates directly to House Report 108-636, in which $2,0000,000 of the policy evaluation funds available to the Office of the Assistant Secretary for Planning and Evaluation is slated to establish an interagency committee, which is to be coordinated by HHS and overseen by the Office of Management and Budget.  The directions given to the interagency committee by the House Appropriations Report are as follows: “The committee's role will be to examine the major regulations governing the health care industry, making suggestions regarding where they could be coordinated and simplified to reduce costs and burdens and improve translation of biomedical research into medical practice, while continuing to protect patients. The examination should include an economic analysis of the major regulations to determine transactional costs of complying with regulations.”  This committee and its aforementioned goals are the subject of the October 4 Federal Register notice.
We recognize the value of the committee’s stated goals. These comments discuss key aspects of the committee’s role, goals, and procedures.
I. Committee Goals: Protecting Patients as the Guiding Principle
The committee’s emphasis on reducing costs and regulatory burdens is modified by five very important words, that is: “while continuing to protect patients.”  We call attention to these words because they make it clear that the other worthy goals set out by the committee are not unilateral objectives to be pursued without attention to their consequences. In many cases, the direct beneficiaries of health regulations are patients.
For example, regulations for the protection of human subjects place barriers to the conduct of research because we know from past history that patients will be harmed in the absence of those barriers. Indeed, it is far from clear that the existing protections work adequately to protect patients. Similarly, the privacy and security rules applicable to the health care industry are intended to protect data subjects. We know that before the HIPAA privacy and security rules took effect, the health care world was not doing nearly enough to guard to privacy of patients and the security of health information. Had there been adequate protections in place, the cost of complying with the HIPAA rules would have been de minimus.
The costs, burdens, and barriers of regulation are a reasonable subject of inquiry. There can be many ways to achieve an objective. We do not as a society always select the least expensive approach – another approach may adequately meet the objective at hand, or may take into account the other consequences of our choices. As such, the charge to the interagency committee must consider both costs and consequences. That is clearly the point of the words while continuing to protect patients.
II. Committee Membership
As quoted in House Report 108-636, the charge from the appropriations committee is that membership of the interagency committee should include “…Representatives from throughout the health care industry, including institutional and individual providers, the clinical research sector, academia, and public health. It should also include experts in health care economics, hospital administration, and insurance billing practices.” 
III. Evaluating Problems
The WPF is familiar with industry complaints about the HIPAA privacy rule and would like to offer a general suggestion for evaluating any complaints brought to the committee’s attention. The process for implementation of the privacy and security rules was long, and it involved many people throughout the health care sector. We know from experience with other privacy laws in the United States and in other countries that it can take many years for all record keepers to learn the new rules and to implement them properly.
Many complaints about the rules result from three primary issues: a lack of understanding, implementation difficulties, or implementation choices. The first category of complaints has clearly diminished over time, and they should continue to do so. Nevertheless, it may take a while longer before privacy and the HIPAA privacy rule will be fully integrated into health care.
Covered entities have sometimes complained that the privacy rule prevents an activity when, in fact, the rule expressly allows the activity. In other cases, complaints about the rule actually go to the implementation choices made by the entities covered by the rule. Some have gone beyond the requirements of the rule and imposed additional privacy protections that are the source of local complaints.
We urge the committee to explore complaints with great care. One goal should be to make sure that a complaint does not merely reflect a transitional problem. Another goal should be to make sure that a complaint is not the result of voluntary implementation choices by covered entities. We may applaud the hospital lawyers who insist that their institutions provide additional privacy protections beyond those required by the federal rule. However, it would inappropriate for the interagency committee to seriously consider complaints about implementation choices that are not expressly mandated by the rule itself. The rule should not be blamed for problems that result from voluntary implementation choices made by covered entities.
In other instances, the exercise of rights given to patients under HIPAA has created disruptions for other activities. For example, we have heard complaints from medical researchers that informing patients about their rights sometimes results in patients refusing to participate in research studies.  This is reported as if it is a terrible outcome, when telling patients about their rights and allowing them to make choices is precisely the point. This is, to use the phrase from the appropriations committee again, continuing to protect patients. There may, of course, be better ways of educating patients, but patients making choices remains fundamental and must be protected regardless of what choices patients ultimately make.
IV. Protecting Privacy and Efficiency
The WPF believes that privacy protections and efficiency are not antithetical. Well-designed and comprehensive privacy rules can be less costly to implement and provide better protections to patients. Following are two specific instances of changes to the HIPAA privacy rule that offer better privacy, better patient care, and lower costs.
A. Accounting for Disclosures
The requirement in the HIPAA privacy rule for maintaining an accounting for disclosures is a good example of a policy that is so riddled with loopholes that it fails to achieve its purpose, protect privacy, or allow for efficient implementation. The rule (45 C.F.R. § 164.528) has attracted plenty of criticism from covered entities that it is too costly or too difficult to implement.  One unrecognized problem is that the rule has too many exceptions. It is actually easier and less costly to establish a system to account for all uses and disclosures rather than to require accounting for some and not others. Further, accounting for all uses and disclosures provides better privacy protections for patients and better legal protections for record keepers. In other words, accounting is a feature and not a burden.
In response to complaints about the accounting requirement, it might be tempting to consider eliminating the accounting requirement altogether or adding more exceptions. Those results would be counterproductive. If everyone steps back a bit from the problem, we can find a better solution.
It is perfectly apparent that health care record keeping will be increasingly automated and networked in the future.  This prospect, especially increased networking, means that the risks of improper access to and disclosure of records will increase in the future.  If we are to find a way to continue to protect patients, then we must find a way to control improper uses and disclosures. Accounting is one way to accomplish that goal.
Further, in a computerized environment, maintaining accounting is a relatively simple task provided that the capability for accounting is built into the system at the beginning and not added on later. Indeed, many automated health record systems installed today already include a capability for accounting for all uses and disclosures and not just those required by the HIPAA rule.  Health care providers include accounting in automated systems not just because of the rule, but because it is good a record keeping policy that protects the provider as well as the patient. The federal government has operated under the Privacy Act of 1974 for many years, and no problems with accounting for health care disclosures have been reported.
The HIPAA rule imposed accounting requirements on legacy systems, and that has much to do with the complaints. For those covered entities that have already built accounting systems, there is little point in changing the rule. To make such a change now would only reward the laggards.
A better approach would be to have a universal accounting rule covering all uses and disclosures without any exceptions. However, this broader rule should take effect for any covered entity with the next new or upgraded computer record keeping system. A full, robust data accounting architecture and system should be an essential element of any National Health Information Network (NHIN). However, we recognize that no one should be asked again to retrofit a legacy system, even if that means that it may be some years before the new policy would be implemented everywhere. With notice, system vendors will be able to meet any accounting requirements at marginal cost.
The WPF believes that any steps to remove or reduce accounting of disclosures would be short-sighted and would in fact lead to markedly higher costs, increased burdens, and lessened patient protections. This would be particularly true after the installation of any NHIN. While removing the accounting of disclosures would satisfy some in the short term, in the long term it would be an extremely costly decision both economically and in terms of the high potential of the loss of patient trust.
B. Amendment of Records
The ability to review and ask for amendment of records is a fundamental privacy right. Under the HIPAA privacy rule, that right is constrained in a way that does not adequately protect the privacy rights of patients or the interest of the health care system in having accurate and complete records. The amendment rule (45 C.F.R. § 164.626) does not require a covered entity to consider a request for an amendment of a record that was not created by the covered entity, unless the originator of the record is no longer available to act on the requested amendment. The administrative process of clearing requests for accounting for records from third parties is complex, expensive, and burdensome to patients and record keepers alike.
Most health records maintained by most health care providers and health plans contain information that originated with someone else. A hospital chart may include referrals from other physicians, results from external laboratories, and other data contributed by third parties. The HIPAA amendment rule allows covered entities to use the information they have without any obligation to review that information if the patient says that there is an error. It is not only unfair and an invasion of privacy to make a decision about someone based on information that may be incorrect, but the result may be increased cost and medical errors.
The HIPAA limited amendment rule violates patient privacy, endangers patients, increases costs, and exposes health care providers to additional liabilities. Further, asking a patient to prove that the original record keeper is unavailable can increase costs or be an impossible barrier for many patients. The result is that incorrect information will be perpetuated in a record, with the potential to do more damage in the future.
An alternate approach can do better for everyone. If a record keeper maintains information about a patient, then it should consider a request for amendment. At worst, a record keeper will have to accept a statement of disagreement from the patient to be included with the disputed information. This obligation is the same as is required under HIPAA for the record keeper’s own records. At best, a health care provider will realize that it has incorrect information and can make an appropriate adjustment that might correct a blood type, family relationship, family history, existence of a previous test, or other vital piece of health data.
Some will argue that any health care provider would gladly correct any of the cited types of errors in a record, and they may be right. If so, the making the requirement obligatory will impose no greater burden than already exists. All covered entities must have a system to consider amendments already in place. It is easier and less costly to consider and resolve patient requests for amendment than to decide administratively that some records may be the subject of a request for amendment and some may not be. For many issues, it is simpler and less costly to address them substantively than to deal with divergent and confusing administrative distinctions that make little sense and that do not continue to protect patients. A better and broader amendment rule will protect privacy, reduce medical errors, and simplify the administrative burden associated with the amendment process.
And a final note: it is important to take the growing crime of medical identity theft into account. This is a crime where an identity thief may intentionally alter or inadvertently cause to be altered a victim’s medical file so that the file reflects diseases or a medical history that the victim does not have. It is nightmarish that a patient’s medical chart may include information about someone who has stolen the patient’s identity for the purposes of using the victim’s insurance or for dodging medical bills. However, this crime is already occurring and the accuracy of patient medical files is already being impacted.  Medical identity theft is an unfortunate reality that must be dealt with sooner rather than later. A better and broader amendment rule will serve to protect privacy and reduce medical errors in this context, one that is in sore need of being addressed.
The World Privacy Forum looks forward to working with the interagency committee on any matters that directly or indirectly affect privacy rights.Respectfully submitted,
World Privacy Forum
 FR Doc. 05-19788. Federal Register, October 4 2005, Volume 70, Number 191, page 57877-57878.
 See: House Report 108-636 – Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriation Bill, 2005, Office of Secretary General Departmental Management, Regulatory Burden section, paragraphs 1- 3. <http://thomas.loc.gov/cgi-bin/cpquery/T?&report=hr636&dbname=cp108&> last accessed October 31, 2005.
 Ibid. Also FR Doc. 05-19788, summary paragraph.
 Ibid, FR Doc. 05-19788, summary paragraph. Hereafter, the quoted phrase, “while continuing to protect patients,” will not be footnoted again, but will be italicized.
 House Report 108-636, Office of Secretary, General Departmental Management, “Regulatory burden” subsection, paragraph 3.
 See for example “Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome,” Archives of Internal Medicine, May 2005; 165: 1125 - 1129. <http:// archinte.ama-assn.org .>
 Comments typifying this vein may be seen, for example, in the NCVHS testimony of hospital representatives early in the HIPAA implementation process. See: NCVHS Subcommittee on Privacy and Confidentiality, November 19, 2003, Panel I, health care industry representatives. <http://ncvhs.hhs.gov/031119tr.htm#industry>. Note that many of these complaints have been answered in 2005 for larger providers, as it is now later in the implementation process.
 A national campaign toward modernizing, digitizing and automating health care records is currently underway, as are plans for the creation of a national networked architecture to manage those records (the NHIN.) See, for example, Executive Order 13335, “Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator” (Washington, D.C.: Apr. 27, 2004). Also see the Office of the National Coordinator for Health Information Technology (ONC) <http://www.hhs.gov/healthit/mission.html>.
 For a more detailed discussion of these issues, see the World Privacy Forum testimony on Electronic Health Records (EHRs) and the National Health Information Network before the Privacy and Confidentiality subcommittee of the NCVHS. See in particular the discussion of medical identity theft and the security issues related to the NHIN. <http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html>.
 Many tools have become available to facilitate HIPAA compliance, including software and enterprise systems designed specifically for the automating of accounting of disclosures. See among many examples, HIPAA Guard by Integritas < http://www.integritas.com/>, which is a paperless accounting of disclosures system, Etrack Disclosure Tracking System. < http://www.hipaarx.net/products_disclosures.htm >, Cortrak http://www.cortrak.com/, HPATS by IO Datasphere, among many others.
 In August 2005 testimony before the NCVHS, the WPF discussed four examples of medical identity theft. The thefts resulted in the alteration of victims’ medical records to match the health or other needs of the perpetrators of the crime. See “Electronic Health Records and the National Health Information Network: Patient Choice, Privacy, and Security in Digitized Environments,” Section A, Identity Theft and Electronic Health Records: The Centrality of Accuracy, Access, and Right of Correction. < http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html>.
PDF version of comments.
|© 2003 - 2006 WORLD PRIVACY FORUM | CONTACT | RESOURCES|