The American Civil Liberties Union
In response to the request by
the U.S. Department of Health and Human Services
at 67 Fed. Reg. 14776 (March 27, 2002) for
Comments Regarding Proposed Modifications
to the Final Rule on Standards for Privacy
of Individually Identifiable Health Information
Comments prepared by:
American Civil Liberties Union
Director, Reproductive Freedom Project
American Civil Liberties Union
April 26, 2002
The American Civil Liberties Union is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights to the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life.
Advances in technology have brought about a revolution in every aspect of health care, including the manner in which medical information is maintained and disseminated. Today, medical data can be collected, combined, collated, analyzed and distributed faster and easier than ever before. Health information can be stored electronically and transmitted around the country and around the globe with the click of a computer mouse. Much of this electronic activity benefits individual patients and facilitates public health efforts as well. But, like many technological advances, society’s increased reliance on computerized medical records poses significant challenges to privacy.
Medical records contain uniquely sensitive information about individuals, and the increasingly common storage of such records on computers poses a threat to medical privacy. In the absence of legal safeguards, new technology allows for virtually unlimited access to medical records without patient knowledge or consent.
The ACLU believes federal protections are needed to shield medical information from unauthorized disclosures. While Congress has failed to enact such protections, it has mandated that the Department of Health and Human Services (HHS) establish medical privacy protections by regulation. The Health Insurance Portability and Accountability Act of 1996 (“”HIPAA””) legislated a deadline of February 21, 2000 for HHS to publish a final medical privacy regulation and HHS belatedly complied with this mandate on December 28, 2000 (the “”Privacy Rule””). 65 Fed. Reg. 82462.
Now, more than two years after the statutory deadline has passed, the Secretary has issued a Notice of Proposed Rulemaking (“”NPRM””) proposing several major changes to the regulation that would seriously undermine patient privacy. 67 Fed. Reg. 14776.
The ACLU’s comments focus on three points: 1) patient consent is a cornerstone of patient privacy protections, and the Department should not roll back consent requirements for treatment, payment and health care operations; 2) the marketing provisions should not provide a back door means to avoid consent requirements; and 3) the proposed changes would deter minors from obtaining critical health services, such as mental health care, substance abuse treatment, and testing and treatment for sexually transmitted diseases.
To address these concerns, the Department should:
1) maintain the Privacy Rule’s current consent requirement for treatment, payment, and health care operations, and make narrowly tailored exceptions to address the unintended consequences that result from the consent requirement in specific circumstance;
2) reject the proposed changes to the definition of “”marketing,”” narrow the current exemptions in the definition even further, and adopt the NPRM’s proposed authorization requirement for marketing activities; and
3) reject the proposed changes to the minors provision.
The NPRM’s proposed changes raise privacy concerns beyond these three points that are well articulated in the comments submitted by the Health Privacy Project at Georgetown University.
The proposed changes to §164.506 of the Privacy Rule would eliminate the requirement that health care providers obtain an individual’s consent prior to using or disclosing protected health information for treatment, payment, and health care operations. These changes would undermine individual privacy by taking control over personal information away from the patient. Government regulation alone would drive final decisions about how personal medical information is used for a range health care, insurance, and payment functions. The Department should maintain the Privacy Rule’s current consent requirement for treatment, payment, and health care operations and make narrowly tailored exceptions to address the unintended consequences that result from the consent requirement in specific circumstances.
The proposed regulation in November 1999 (64 Fed. Reg. 59918) permitted providers to disclose information for treatment, payment and health care operations without patient consent. The ACLU and others urged the Administration to include a requirement that patients sign an authorization before personal health information is transmitted for any reason.
In response, the Department’s final rule in December 2000 requires patient consent for any use or disclosure of protected health information, but permits health care providers and plans to deny treatment if an individual refuses to consent for treatment, payment or health care operations. This “”coerced consent”” for certain health care functions does not provide as strong a consent requirement as the ACLU and other privacy advocates had sought from the Department. For the first time, however, the Privacy Rule established in federal law the principle that medical information may not be disclosed without the consent of the patient. There are exceptions to this principle, some of which are drafted too broadly in the regulation, but patient consent creates an important baseline of federal privacy protection.
The Administration now proposes to turn the clock back and replace the Privacy Rule’s two-tiered consent requirements with a notice requirement. The proposed changes to § 164.506 would eliminate the requirement that health care providers obtain an individual’s consent prior to using or disclosing protected health information for treatment, payment, and health care operations. In its place, § 164.520(c)(2)(iii) merely requires a direct treatment provider to make a “”good faith effort”” to obtain written acknowledgement from the patient that he or she is in receipt of the provider’s privacy notice.
Notice requirements are an important element of privacy protections but they do not supplant the need for patient consent. Consent serves as the basic building block for privacy statutes protecting all kinds of personal information from educational records to personal information held by the government, and even video rental records. In the medical context, consent requirements for the use and disclosure of protected health information respect patient autonomy, ensure individuals understand the risks and benefits of sharing protected health information, and provide the individual with the information needed to make an informed decision. Medical information is at least as sensitive as video records and warrants a strong consent requirement.
In comparison, the NPRM’s proposed notice requirement dictates the terms and conditions of the use and disclosure of personal information without any input from the patient. There is no duty on the health care provider to explain the contents of the notice beyond the “”good faith”” requirement that an individual has the privacy notice in hand. Finally, unlike consent, a notice requirement does not provide an “”initial moment”” where patients have the opportunity to interact with their health care provider and question how and why their information is being used in a particular way. For example, the current consent, which is relatively shorter and less detailed than the notice, must include the patient’s right to request a restriction on the use and disclosure of protected health information to carry out treatment, payment, and health care operations. § 164.506. The purpose of this section is to make it absolutely clear to patients that they have a right to request a restriction. Without consent, patients may never fully understand their rights.
The Privacy Rule’s current consent requirements do not provide individuals with total control over how their information is used and disclosed for treatment, payment, and health care operations. It does provide some control, however. The Department agrees “”that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and health care provider includes the patient’s ability to be involved in discussions and decisions related to the use and disclosure of any protected health information about him or her.”” And, the Department itself acknowledges in this proposed rulemaking that the final regulation’s consent requirement for treatment, payment and health care operations was a “”significant change”” from the original proposal in November 1999.
At the same time, however, the Department argues that changes to the consent requirement are necessary because they could result in “”unintended consequences that impede the provision of health care.””
The Department articulates several possible unintended consequences of the Privacy Rule’s consent requirements for treatment, payment, and health care operations. For example, pharmacies have expressed concern that first time customers would experience a delay in obtaining medication because the Privacy Rule would require pharmacists to obtain consent before filling a prescription. This would be a particular problem for family members or friends who pick up prescriptions on a patient’s behalf. There are several ways to address this problem, however, other than eliminating the consent requirement for all providers. The Department could clarify that pharmacists who receive prescriptions directly from a doctor’s office are indirect treatment providers and not subject to prior consent requirement or could create an exception that consent could be handled through the mail.
Another practical problem the Department identifies involves health care providers who do not provide treatment in person. The Privacy Rule includes several provisions that provide answers to this problem. Doctors who take phone calls for other doctors could be treated as part of an organized health care arrangement with a joint consent form. Nurses who staff advice lines usually do so under contract with a health plan and would therefore be functioning as business associates of the health plan with no need for a separate consent.
All of the practical problems raised in the NPRM could be addressed through discrete, narrowly tailored solutions or even resolved by clarifying existing provisions of the regulation. The Department should not use a sledgehammer to remedy discrete implementation issues when laser surgery would work just as well and would be more privacy protective.
The Administration suggests there may be other unintended consequences that have not been identified to date. If in fact additional problems arise, the Privacy Rule can be modified at any time to address them. Covered entities have already considered the consent requirements in detail as they begin to plan for implementation of the Privacy Rule and a recent survey of California health care organizations shows many providers think the consent requirements are workable. The survey polled hospitals, physician groups, payors, and a range of other health care entities such as disease management organizations. Ninety percent of hospitals felt the consent requirements were somewhat to very workable. Only 7% of total respondents felt that the consent requirements, including consent for treatment, payment, and health care operations, were not workable at all. And, only 13% felt the requirements were less than workable.
The Privacy Rule should maintain the current consent requirements for treatment, payment, and health operations. The Department should reject the proposed changes to § 164.506 and address specific implementation problems with specific, narrowly tailored solutions.
The NPRM’s proposed changes would require patient authorization before protected health information is used or disclosed for marketing purposes. Although this is an important protection, the proposed changes to the marketing provisions taken as a whole would result in a net loss for patient privacy, not a net gain. The Department should reject the proposed changes to the definition of “”marketing,”” narrow the current exemptions in the definition even further, and adopt the NPRM’s proposed authorization requirement for protected health information used and disclosed for marketing activities.
The NPRM’s proposed changes to §164.508(a)(3) would require patient authorization for any use or disclosure of protected health information for marketing purposes except for face-to-face communications or promotional gifts of nominal value provided by the entity. This new authorization requirement for marketing, however, must be understood in combination with the proposed changes to the definition of marketing.
Both the current Privacy Rule and the NPRM generally define marketing as “”a communication about a product or service to encourage recipients of the communication to purchase or use the product or service.”” In addition, both the current and proposed definitions exempt certain health-related communications from the definition including activities for treatment, case management, care coordination, or “”to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.”” § 164.501.
The current Privacy Rule, however, does not exempt health-related communications from the definition if the covered entity receives “”direct or indirect remuneration from a third party for making the communication.”” In comparison, the proposed changes in the NPRM would carve out health-related communications from the definition of marketing entirely, even if a covered entity receives compensation for the communication from a third party.
First, these proposed changes would greatly expand the set of activities that fall outside the definition of “”marketing.”” As a result, a large number of activities that the average person would consider marketing would not be subject to the proposed patient authorization requirement.
In addition, the proposed changes eliminate patients’ ability to opt-out of marketing schemes. The current Privacy Rule permits health care providers to solicit their patients for certain marketing and fundraising purposes without patient consent, but it provides patients the opportunity to opt-out of future solicitations. See §164.514(e). The NPRM’s proposed changes fail to bolster the marketing provisions and even eliminate the little protection patients have under the Privacy Rule against unauthorized use of their personal information for marketing purposes.
The following examples illustrate the difference between the Privacy Rule’s current definition of marketing and the NPRM’s proposed changes.
Example: An insurance company is paid by a third party to send beneficiaries advertisements for life insurance or vacation condos. Under both the current and proposed definitions of marketing, this type of communication would fall within the definition of marketing because it has no relation to a health-related function. Patient authorization would be required in both instances.
Example: A hospital is paid by a nursing home chain to send elderly patients information about its nursing homes’ long-term care services. Under the current Privacy Rule, this type of communication would be considered marketing because the hospital is being paid to promote a product. Under the NPRM’s proposed changes to the marketing definition, this communication would fall outside the definition of marketing. As a result it would not be subject to the proposed patient authorization requirement for marketing.
Example: A pharmacy is paid by a drug company to send out prescription reminders to patients taking medication for depression and to encourage them to switch their medication to the drug company’s brand name product. Under the Privacy Rule, this communication would be considered marketing because the company is being paid to promote the product. Under the proposed changes, this communication would fall outside the definition of marketing and would not be subject to the proposed patient authorization requirement.
The proposed changes to the definition of marketing would undermine the advances made by requiring an authorization for marketing activities. The Privacy Rule’s definition of marketing should be maintained.
Second, the exclusion of certain health-related activities from the definition of marketing is extremely broad in both the current and proposed definitions of marketing. For example, the proposed definition of marketing excludes communications “”to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.”” Under this exception, patient consent would not be required to send letters promoting an alternative brand of medication or advertising a new assisted living facility. In fact, it is difficult to imagine what type of marketing would be excluded if it in any way related to health care.
No matter what name or label the Department uses for this type of communication, this is the very type of marketing that the public has strongly opposed in the absence of patient consent. For example, in 1998, public outcry forced CVS and Giant Pharmacy to abandon their practice of sharing personal medical information with a company that promoted certain pharmaceutical products and sent out prescription reminders. The companies engaged in the very practice that would be permitted without patient consent or an opt-out requirement under the proposed changes. The definition of marketing should include health-related communications that are not related to direct treatment.
Marketing in and of itself is simply a commercial activity. However, anger about unsolicited marketing based on the unauthorized use of personal health information is one of the reasons the public demand for federal medical privacy protections is so strong. It is true that there is currently no federal law prohibiting the disclosure of personal health information for marketing purposes and therefore the Department has argued that the proposed authorization requirement is an improvement on current law. In reality, however, the final regulation creates a safe harbor for the use and disclosure of personal health information for a broad range of marketing activities.
As a result of the NPRM’s proposed changes, a huge range of marketing activities could take place without patient consent, there would be no opportunity to “”opt out”” of receiving marketing solicitations as provided for under the current Privacy Rule, and marketing practices that the public has strongly opposed would be codified under the privacy regulation.
The Department should maintain the current Privacy Rule’s definition of marketing, adopt the NPRM’s proposed patient authorization for marketing purposes, and narrow the types of health-related activities that fall outside the definition.
If adopted, the proposed changes to §164.502(g)(3) would deter minors from obtaining critical health services, such as mental health care, substance abuse treatment, and testing and treatment for sexually transmitted diseases. We therefore urge the Department to retain this provision of the Privacy Rule in its current form.
As currently written, the Privacy Rule strikes a careful balance between the need for parents to have access to their children’s health information and the need for adolescents to feel secure that their health information will be kept private in certain limited circumstances. Thus, under the Privacy Rule, parents are generally treated as the personal representatives of their unemancipated minor children and are given access to and control over their children’s health information. Based upon significant research and standard medical practice, however, the Privacy Rule contains narrow exceptions to this general rule.
One of these exceptions gives a minor access to and control over information related to health services that the minor lawfully obtains based on his or her own consent. Privacy Rule § 164.502(g)(3)(i). Numerous studies have found that confidentiality is one of the prime determinants of whether an adolescent seeks and obtains timely health care related to sensitive topics such as mental health, substance abuse, and sexuality. For example, studies show that somewhere between eight and thirty-one percent of teens delay or entirely forego health care because of concerns that their private information will be revealed to parents or others. In addition, research confirms that teens who believe that their health care provider will maintain their confidentiality are more likely to discuss sensitive health topics, such as sexually transmitted diseases, pregnancy prevention, and substance abuse, with their provider. In recognition of these facts and in pursuit of the lifesaving goal of ensuring that minors get the health care they need, the overwhelming majority of States have enacted laws that allow minors to consent on their own to specific services such as prenatal care, family planning services, testing and treatment for sexually transmitted diseases, mental health counseling, and treatment for alcohol and/or drug abuse.
Because laws allowing minors to self-consent to certain services were enacted precisely to ensure that confidentiality concerns did not keep adolescents from obtaining critical care, the Privacy Rule wisely linked the right to consent to a service to the right to control the information related to that service. Thus, under the existing Privacy Rule, in those limited circumstances where a minor lawfully obtains a service without a parent’s consent, the minor (and not the parent) exercises the rights of access to and control over the information related to that service.
The proposed changes to the Privacy Rule would sever the fundamental link between the minor’s right to consent to a health service and the minor’s need for confidentiality. Under the proposed changes, a minor who lawfully obtains a service based on his or her own consent would no longer have a right to protect the information related to that service from being released to the parent. Rather, the proposed changes would give the covered entity discretion to decide, within the bounds of State and other applicable law, whether or not to provide the minor’s parent access to the information. NPRM § 164.502(g)(3)(iii).
By failing to guarantee minors’ confidentiality, the proposed changes undermine the goal of the minors’ consent laws — to encourage minors to get critical health care they would otherwise forego because of confidentiality concerns. Because the proposed changes would deter adolescents from seeking essential health care, we urge the Department to retain the current version of section 164.502(g)(3). Furthermore, we caution that any further erosion of minors’ ability to obtain confidential care would raise serious constitutional problems. See, e.g., Bellotti v. Baird, 443 U.S. 622 (1979); Carey v. Population Servs Int’l, 431 U.S. 678 (1977).
What we believe was an oversight in the language of the proposed changes to section 164.502(g)(3)(iii) makes this broad discretion over minors’ health information even more problematic. Although the preamble speaks in terms of a “”provider”” exercising this discretion, see 67 Fed. Reg. 14,792 (Mar. 27, 2002), the text of the proposed changes does not limit the individuals who may exercise this discretion to the minor’s treating provider. Rather, it confers upon all covered entities the discretion to decide whether to give a parent access to a minor’s health information (so long as the decision is consistent with State and other applicable law). Thus, not only would physicians, nurses, and counselors who know the minor (and in some instances the parent) be vested with such discretion, but so would a wide range of others, including employees of health insurance plans and hospital records rooms who have never met the minor. We believe this to be an unintended consequence of the proposed changes. We urge the Department to narrow the scope of individuals who are given such discretion to licensed health care professionals who have provided the health care service to the minor. To accomplish this goal, we suggest replacing the words “”covered entity”” in section 164.502(g)(3)(iii) of the NPRM with the phrase “”covered health care provider who is a licensed, treating health care professional.””
The proposed changes also restate and reinforce the Privacy Rule’s inappropriate deference to State law in determining who shall have access to protected health information about minors. Under the NPRM, even in those limited circumstances where the minor is authorized to act as the individual, section 164.502(g)(3)(ii)(A) would permit a covered entity to disclose protected health information about the minor to a parent if State law expressly required or permitted such disclosure.
We continue to object to deference to State laws that are less protective of an individual’s privacy than is the Privacy Rule. The Privacy Rule generally preempts State laws that are contrary to the regulation and less protective of an individual’s privacy, but lets stand those State laws that provide more protections. This rule not only makes good sense but is also required by HIPAA. 42 U.S.C. § 1320d-7. Yet minors’ health information is subject to a special rule of non-preemption that allows all State laws regarding dis
Every month, you'll receive regular roundups of the most important civil rights and civil liberties developments. Remember: a well-informed citizenry is the best defense against tyranny.