Testimony of
RONALD WEICH
Legislative Consultant to the American Civil Liberties Union
on behalf of
THE AMERICAN CIVIL LIBERTIES UNION
before the
National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality
on
Implementation of Medical Privacy Regulations:
Significance of the 'Minimum Necessary' StandardAugust 22, 2001
My name is Ronald Weich. I am a partner in the law firm of Zuckerman Spaeder LLP, and a legislative consultant to the American Civil Liberties Union (ACLU). I am pleased to appear before you today on behalf of the ACLU to discuss the subject of medical privacy, and, more specifically, to comment on implementation of the "minimum necessary" standard in the recently finalized HHS regulations.
The American Civil Liberties Union is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom and equality set forth in the Bill of Rights to the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life.
My testimony is divided into three parts. The first section summarizes the ACLU's general views on medical privacy. The second section discusses implementation of the requirement in the privacy rule that certain disclosures of protected health information be limited to the "minimum necessary" to accomplish the intended goal of the disclosure. The final section highlights our concerns about other aspects of the regulation.1
I. IMPORTANCE OF MEDICAL PRIVACY
Medical records contain uniquely sensitive information about individuals, and the increasingly common storage of such records on computers poses a threat to medical privacy. In the absence of legal safeguards, new technology allows for virtually unlimited access to medical records without patient consent.
Advances in technology have revolutionized the manner in which medical information is maintained and disseminated. Today, medical data can be collected, combined, collated, analyzed and distributed faster and easier than ever before. Huge quantities of health-related information can be stored electronically and transmitted across the country and around the globe with the click of a computer mouse. Yet current law does not adequately recognize a patient's right to control the dissemination of his or her medical information.
Privacy is vital in the health care context because trust is a fundamental component of the doctor-patient relationship. Medical records contain intimate, potentially embarrassing information, and patients are susceptible to humiliation, discrimination and even violence in the event information from their medical records is improperly disclosed. In the absence of privacy safeguards, patients engage in privacy protective behavior such as avoiding care or failing to be candid with health care professionals. These behaviors are detrimental to personal and public health, especially in sensitive medical fields such as mental health, substance abuse and reproductive health.
The ACLU has long supported passage of a federal law to shield medical information from unauthorized disclosures. While Congress has regrettably failed to enact such protections, the Health Insurance Portability and Accountability Act of 1996 (§ 264(c)(1) of Pub. L. 104-191) mandated that the Department of Human and Human Services establish medical privacy protections by regulation. After a lengthy regulatory process, HHS published a final rule on December 28, 2000 (65 Fed. Reg. 82462) and it became effective earlier this year.
The ACLU believes that the final regulation, while not perfect, represents a major advance in the struggle for medical privacy. The most important aspect of the rule is that it establishes in federal law for the first time the principle that medical information may not be disclosed without the consent of the patient. The rule contains exceptions to this principle, some of which we believe are drafted too broadly. But prior to this rule there were no comprehensive privacy protections in federal law, so the regulation creates an important baseline of protection.
In section III of this testimony I will highlight some significant flaws in the regulation and outline our suggestions for addressing them. On balance, however, the final rule is a significant step forward, especially because it does not preempt state laws that provide stronger protections.
II. THE MINIMUM NECESSARY REQUIREMENT
I and my fellow panelists this morning have been asked to focus our attention on questions surrounding implementation of the "minimum necessary" requirement in the final medical privacy rule.
The HHS regulation requires covered entities to take reasonable steps to limit the use or disclosure of protected health information to "the minimum necessary to accomplish the intended purpose of the use, disclosure or request." 45 CFR § 502(b). A subsequent provision requires covered entities to establish "policies and procedures" to carry out the minimum necessary requirement, including limits on which individuals within an entity have access to the medical record. The regulation also contemplates the development of protocols for evaluating requests for health information that will limit the extent of disclosure consistent with the minimum necessary standard. 45 CFR § 514(d).
It might be said that the minimum necessary requirement embodies the essence of the privacy rule. It gives meaning to the presumption that information is not to be disclosed to third parties unless that disclosure is necessary to carry out a specific purpose, and then only to the extent necessary to carry out that specific purpose. It establishes the presumption that a medical record is private unless there is good reason for it not to be.
The minimum necessary requirement is a microcosm of the privacy rule itself. The privacy rule is built on the principle that protected health information will not be disclosed without patient authorization or another compelling reason. Similarly, the minimum necessary requirement says that any particular disclosure of information must be limited to the extent justified by cause. This requirement combats a sloppy practice in current medical recordkeeping, in which a legitimate request for one aspect of a patient's record leads to disclosure of the entire record simply because no one takes the time to determine how much of the record is really needed to carry out the purpose of the disclosure.
In practice, we expect the minimum necessary requirement to lead to the compartmentalization of medical records so that one portion of the record may be readily disclosed for one purpose without compromising the privacy of the entire record. Compartmentalization may sound burdensome, but it should not be - it can be accomplished by adopting simple, standard protocols for categorizing and labeling portions of a record. It will be especially easy to accomplish as records are more routinely kept in electronic form.
Compartmentalization is a common method for individuals to handle non-medical information about themselves. I, for example, maintain a professional biography that is available in numerous electronic databases to anyone else in the world. It contains information that I choose to make public: my educational credentials, the professional organizations I belong to, and my areas of professional expertise. Yet there is much personal information about me that I choose to make available to my friends but not the general public. And there is a layer of even more intimate information that I make available only to my family. Finally, there is medical information about me that I make available only to my doctor and legal information about me that I make available only to my lawyer, both categories of which I expect to be kept confidential and used only as needed. In effect, each of us utilizes a "minimum necessary" standard as we go through life disclosing information about ourselves to others.
The minimum necessary standard is a linchpin for the rest of the privacy rule. If it is not given full effect, other protections in the regulation will be impaired because the authorized disclosure of some protected health information will lead to the disclosure of information the patient sought to protect. While the minimum necessary standard will necessarily be interpreted subjectively in individual circumstances, it is important that HHS make clear that there are objective parameters to make the standard meaningful.
The Subcommittee staff has asked panelists to respond to any of five questions about the minimum necessary standard. I will address each in turn:
The minimum necessary standard will benefit patients in the same way that the privacy rule as a whole does, by bolstering the patient's control of his or her medical information thereby advancing the goal of medical confidentiality.
This benefit is not merely abstract. Clearer privacy protections for sensitive health information will encourage patients to be candid with their doctors, and that will lead to better health care. A patient who is assured that the disclosure of information about his asthma will not lead to disclosure of his mental health history has received a tangible, concrete benefit.
To comply with the minimum necessary standard, covered entities will need to develop standard policies and procedures to appropriately categorize medical information and ensure that only needed information is disclosed. We anticipate that the development of such policies will entail administrative costs at the outset, and monitoring compliance with the policies will entail ongoing personnel costs. But there is no reason to expect these costs to be unduly burdensome, since the policies involve the application of simple, common sense principles.
Health care entities, like all entities, develop policies and procedures all the time. Moreover, all but the smallest entities employ administrative staff whose responsibilities include the development and implementation of such policies. While we do not deny that some measurable cost can be attributed to adoption of a minimum necessary policy in a hospital or a doctor's office, it is likely to be a barely discernable "add-on" to other routine administrative costs. In any event, the benefits of reasonable privacy protections clearly justify the costs.
By definition, there is no single answer to this question. The line must be drawn in each instance by application of common sense and by reference to the fundamental purpose of the privacy rules. That said, the adoption of strong privacy policies at the outset of an entity's compliance with the rules will obviate the need for anguished deliberation each time a request for information is made.
Those policies should draw a bright line in favor of confidentiality and should give life to each of the two words in the standard: "minimum" and "necessary." The policy should prompt consideration of two basic questions: how much information is needed to fulfill the purpose of this request? Conversely, is there information proposed to be provided that is not necessary to fulfill the purpose of this request? Sometimes the answer will be obvious: when an insurance company requests documentation that the patient was treated for a broken arm, it is not necessary to provide information about the patient's treatment for a sexually transmitted disease. Other times the question will be closer, but should be resolved in the first instance in favor of non-disclosure. If the information provided to a requester turns out to be insufficient to accomplish the goal of the request, a follow-up request can always be made and evaluated.
The guidance published by HHS last month provides a good explanation of the minimum necessary requirement, and should help reassure covered entities that the requirement will not be unduly burdensome. In particular, the guidance deflates some of the myths that had begun to develop about the extent to which the rule would disrupt current practices. As HHS has made clear, the minimum necessary standard does not require soundproof rooms, nor would it prevent doctors from having access to all the medical history needed for the provision of effective health care.
One useful tool will be the development of model policies and procedures, by both HHS and the private sector. Again, it is important that the bar be set high, and that the model rules provide for meaningful enforcement of the minimum necessary standard.
Yes. It is clearly necessary for institutions to apply the minimum necessary standard with respect to disclosures both within the institution and outside the institution. A breach of confidentiality is equally destructive of patient trust whether it occurs within or outside of a covered entity.
We have also been asked to recommend any proposed modifications regarding the minimum necessary requirement. While we are generally pleased with this aspect of the regulation, we believe it can be strengthened by limiting two of the exceptions to the minimum necessary standard contained in § 164.502(b).
First, contrary to the exception in § 164.502(b)(2)(ii), we believe that the minimum necessary standard should apply to disclosures made pursuant to patient authorization. This may seem unnecessary because the patient can theoretically control the extent of disclosure in the authorization itself. As a practical matter, however, authorization forms may permit more comprehensive disclosure than is necessary, and patients may not feel free to assert the right to restrict disclosure. Applying the minimum necessary standard in this context would create a presumption of less disclosure which the patient could, of course, overcome with an explicit authorization to disclose more than is minimally necessary.
Second, contrary to the exception in § 164.502(b)(2)(iv), we suggest that the minimum necessary standard apply even to disclosures required by law. In other words, we would like this aspect of the regulation to preempt other laws that are less protective of privacy, especially in the area of law enforcement. The burden should be on the government to show why any disclosure is necessary to carry out a lawful purpose. The blanket exception in this section of the rule authorizes the government to collect information beyond what is necessary. By definition, that is an unwarranted violation of the principle of patient privacy.
III. OTHER CIVIL LIBERTIES IMPLICATIONS OF THE FINAL RULE
While we have been asked to direct our attention to the implementation of the minimum necessary requirement, there are many other important aspects of the regulation and many areas where the ACLU has expressed concerns. At this time I will briefly describe what we believe to be significant gaps in the rule.
A. Coerced Consent
The final rule does not provide as strong a consent provision as we had sought. We proposed a system in which patient consent would be required before any disclosure could occur - even for treatment, payment and health care operations - and that a health care provider or plan could not deny services to the patient for refusing to consent. That would be true consent, not coerced consent. The final rule provides for uncoerced consent outside treatment, payment and health care operations, but permits providers to refuse treatment if patients will not authorize disclosures within those core functions.
Nonetheless, the two-tiered approach to consent in the final rule is preferable to mere notice. We strenuously oppose any change that would weaken the already tenuous authorization provisions in the final regulation.
B. Law Enforcement Access
The final regulations do not meaningfully limit law enforcement access to medical records. Police officers may obtain records without approval of a magistrate and they need not provide notice to the individual whose records are sought. An overbroad "identification exception" in the proposed regulation would enable the police to obtain medical records any time they seek to identify a suspect.
Consistent with our view that patients have a constitutional right to privacy in medical records held by third parties, the ACLU believes that government agents should be required to obtain judicial approval under a meaningful probable cause standard before they are granted access to a patient's medical records in the custody of a third party such as a doctor or an insurance company.
Whether or not the Fourth Amendment applies when the police seek access to medical records that the patient does not physically possess, we have urged federal policymakers to adopt a Fourth Amendment-like standard to govern law enforcement access to medical records in order to enhance patient privacy and engender trust in the doctor-patient relationship. Congress has already extended Fourth Amendment-like protection to sensitive personal information stored with third parties, including the contents of electronic communications (18 U.S.C. § 2703), information pertaining to video rentals (18 U.S.C. § 2710), and subscriptions to cable programming (47 U.S.C. § 551). Medical records are at least as deserving of privacy as stored e-mails, and are certainly more sensitive and intimate than video rental records and cable subscription information.
Of course there are occasions when the police will have a compelling need to obtain medical records. The Fourth Amendment is not a bar to police investigations, but rather balances the interests of individuals to be secure in their personal papers and effects on the one hand, and the legitimate needs of law enforcement officials on the other. Unfortunately the proposed rule does not reflect that balance.
In our earlier submissions to HHS we have described in greater detail the flaws in this portion of the rule, and I incorporate those comments by reference.
C. Marketing
The final regulation contains a new provision permitting health care providers to solicit their patients for marketing and fundraising purposes. While this is ostensibly a "one-time" exception to privacy, marketing will continue unless the patient opts out of future solicitations, a burdensome and unwarranted requirement. This exception should be struck in its entirety.
Anger about unsolicited marketing based on personal health information is one of the reasons the public demand for federal medical privacy protections is so strong. It is true that there is currently no federal law prohibiting the disclosure of health information for marketing purposes, so it might be argued that the "opt-out" requirements of the rule are an improvement on current law. In reality, however, the final regulation will increase the number of marketing appeals from third parties unknown to the individual. This is true because conduct which might have been seen as of questionable propriety will now be codified in federal law; in effect, the regulation creates a safe harbor for health care marketers and therefore encourages this practice.
Under the rule, marketers can target people precisely because they have a particular medical condition. Covered entities should not be allowed to use protected health information for these purposes absent explicit authorization from the individual. The after-the-fact opt-out provided in the final regulation is insufficient because the damage to patient trust is inflicted as soon as the first mailing is received by the patient.
Moreover, the "opt-out" provision of the rule is not well defined. If patients are to have a genuine opportunity to refuse such disclosures, the process by which they exercise that right should be simple and well-publicized. There is nothing in the final regulation that prevents a marketer from insisting on a written opt-out demand (as opposed to a 1-800 phone call or an Internet opt-out). Also, a patient should have an opportunity to opt out of all marketing disclosures with a single demand, and not reply to each marketer individually.
D. The Privacy Rights of Minors
In general, the regulation strikes the appropriate balance and maintains the status quo in dealing with health information pertaining to minors. In accordance with current law and practice, Section 164.502(g) grants parents the right to access and control their children's health information in most instances. To the limited extent that the regulation grants minors the right to control their own health information, these rights reflect existing practices and well-accepted protocols for treating adolescent patients that experts agree are critical to ensuring that young people get the health care they need. In addition, in some instances, granting the minor (rather than the parent) the right to control his or her health information is mandated by state and federal law.
Despite the regulation's generally sound treatment of minors, it suffers from one serious deficiency. Contrary to the preemption rules established by HIPAA, the regulation fails to preempt state laws that are less protective of minors' privacy.
Because we view the regulation's general approach to minors' privacy as critical to their health and well-being, we strongly disagree with the approach taken in Section 160.202. That section provides that state laws that authorize or prohibit disclosure of protected health information to a parent of a minor are not preempted. This provision violates the standards set forth in HIPAA for the preemption of state laws and undermines the important policies reflected in the regulation's general approach to minors' privacy.
The regulation generally preempts state laws that are contrary to the regulation and less protective of an individual's privacy, but lets stand those state laws that provide more protection. This rule not only makes good sense, but is also required by HIPAA. 42 U.S.C. § 1320d-7. The regulation, however, subjects minors' health information to a special rule of non-preemption. Under the regulation, all state laws regarding disclosures to a minor's parent -- even those that are contrary to the regulation and provide less protection for privacy -- are permitted to stand.
This approach is misguided. A state law authorizing or, worse, mandating disclosure of protected health information about a minor to a parent in a case where that minor has lawfully obtained health care services without the consent of a parent is contrary to the policy articulated in the regulation and provides less protection for a minor's privacy. Such a law should be preempted, but, under the regulation, it is not.
The position we are advocating would not result in the preemption of state laws that establish the circumstances under which minors can obtain health care services on their own. Rather, state law (and, in some cases, federal law) will continue to determine whether a minor can lawfully obtain a health care service on his or her own. Thus, for example, state laws that require parental consent or notification before a health care provider may perform an abortion on a minor patient would continue to apply. But when a minor lawfully obtains an abortion (or other health care service) without parental consent, state law should not subsequently permit or require disclosure to a parent of information relating to such care. Such a state law would be preempted under the position we advocate here because it would be contrary to the regulation and less protective of the minor's privacy.
Accordingly, we urge the Department to change this aspect of the regulation to comply with HIPAA and to treat state laws pertaining to minors the same as other state laws generally: state laws that are contrary to the regulation and less protective of the privacy of minors should be preempted. As is the case generally with laws that are more protective of privacy, contrary state laws that are more protective of the privacy of minors should not be preempted.
E. Protections for Victims of Violence
There are two additional steps that can be taken to strengthen these protections against inappropriate disclosures of health information that can lead to family violence.
First, the regulation requires health plans to honor an individual's reasonable request to receive communications of protected health information by alternative means or at an alternative location only if the individual clearly states that the disclosure of all or part of the information could endanger the individual. Section 164.522(b)(1)(ii). Thus, for example, a victim of domestic violence may request that her explanation of benefits form (EOB), showing that she received treatment for injuries caused by her abuser, be sent to a friend's home instead of the home she shares with her abusive husband. But the plan need not honor that request unless the woman discloses to the plan that sending the EOB home could put her in danger. Although this provision is important and beneficial, it does not go as far as it should. As an initial matter, it insufficiently protects even those who do fear violence because it requires them to disclose this fear to their health plan -- something many victims of family violence are unwilling to do -- and it allows health plans to require a written statement memorializing this fear. In addition, it provides no privacy protection for those who will not be put in danger by a disclosure, but who, nonetheless, have a real need for privacy.
In order to remedy these problems, the regulation should hold health plans to the same standard it establishes for health care providers. Providers are required, without any explanation from the individual, to honor all reasonable requests to alter the manner in which they communicate with the individual. The Department can easily make this rule applicable to plans as well by inserting the words "or health plan" after the words "health care provider" in Sections 164.522(b)(1)(i) and (b)(2)(iii) and deleting Sections 164.522(b)(1)(ii) and (b)(2)(iv).
Second, an oversight substantially limits the practical utility of the provision, discussed in section II-D above, that permits covered entities to deny personal representatives access to an individual's records if a health care professional believes that the requested access is reasonably likely to cause substantial harm to the individual or another person. Section 164.524(a)(3)(iii). The regulation requires, as it should, that when covered entities deny an individual (or the individual's personal representative) access to his or her protected health information, the covered entity must provide a written statement explaining the denial to the individual within 30 days. Sections 164.524(b)(2)(i)(B);