Health Freedom Watch
Health Privacy Roundup
A lot has been happening around the nation regarding health privacy policies that affect all citizens. A summary follows:
Significant Privacy Breaches from Outsourcing Federal Health Services
The Government Accountability Office (GAO) reported recently on the significant percentage of privacy breaches that occur with outsourcing contractors used by Medicare, Medicaid, and TRICARE (Department of Defense health-care program). Together these government programs cover more than 100 million Americans (42 million in Medicare, 56 million in Medicaid, and 9 million active-duty military service members, retirees, and their dependents).
According to the September 2006 GAO study “Privacy: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE,” 40 percent of almost 400 federal contractors and state Medicaid agencies reported a privacy breach within the past two years. The personal information accessed may include medical diagnosis and treatment records, and patient identifiers, such as name, address, date of birth, and Social Security number. Over 42 percent of Medicare fee-for-service contractors reported privacy breaches in that period.
President Bush Signs Executive Order Simplifying the Transfer of Electronic Medical Records
While federal agencies contend with privacy breaches, President Bush is moving forward with promoting “interoperable” electronic medical records. In August he signed an executive order, “Promoting Quality and Efficient Health Care in Federal Government Administered or Sponsored Health Care Programs,” requiring agencies and their contractors to meet “interoperability” standards for health data. “Interoperability” is defined as “the ability to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks in various settings, and exchange data such that clinical or operational purpose and meaning of the data are preserved and unaltered.” According to a Kaisernetwork.org report, all health-care providers who receive federal funds will have to abide by these uniform information technology standards.
It is worth noting that this “interoperability” requirement was tied to other federal orders to establish transparency regarding health-care quality and price and to establish reimbursement models based on quality of care, including pay-for-performance models.
CIA Investing Money in Software for Managing Electronic Health Records
Meanwhile, Government Health IT reported on August 14 that “The CIA-backed venture capital firm In-Q-Tel is investing money in a company that sells software used for managing electronic health records.” The tool is referred to as “master patient index” software and could be used in lieu of assigning every citizen a unique health identifier, which Americans vehemently oppose. In fact, in 2005 Dr. David Brailer (then national coordinator for health information technology at the Department of Health and Human Services) said HHS had decided not to base a national medical network on unique health identifiers. But it has been unclear what other technology might be used instead.
The Government Health IT article went on to note that “Because U.S. and Canadian health care providers use that software extensively, privacy advocates say they are concerned about the CIA’s role…. Twila Brase, president of Citizens’ Council on Health Care, a St. Paul, Minn. health care policy organization, said her group opposes master patient indexes because they can serve as national identifiers.”
Florida Patients Have No Legal Recourse under Federal Health Privacy Rule
Some 1,100 patients in Florida have discovered that under the federal medical-privacy rule (mandated by the Health Insurance Portability and Accountability Act of 1996), they have no legal recourse for breaches of privacy.
A September 15 article by Naples Daily News reports the Naples patients learned that a former hospital employee working as a front-desk coordinator downloaded and printed their information, including Medicare beneficiary numbers, Social Security numbers, birth dates, and home addresses. The data was used to seek more than $2.8 million in fraudulent Medicare claims.
The article notes that the only legal recourse the patients have is to bring suit under Florida privacy-rights laws, but that success hinges on proving actual damages from theft of their personal information. However, stress about loss of privacy is not enough to prove actual damages, according to Benjamin Butler, an attorney with the firm Crowell & Moring in Washington, DC.
Americans who want to ensure their health privacy should become thoroughly informed about the lack of true health privacy rights under the federal rule and work to strengthen their state privacy laws and/or repeal the misleading federal rule.
- “CMS Should Tighten Privacy of Health Data Held by Contractors,” Government Computer News, September 8, 2006.
- “Privacy: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE,” United States Government Accountability Office, GAO report no. GAO-06-676, September 2006.
- “Executive Order: Promoting Quality and Efficient Health Care in Federal Government Administered or Sponsored Health Care Programs,” August 22, 2006.
- “Daily Health Policy Report: President Bush to Sign Executive Order Establishing Health IT Standards, Requiring Quality Measurement Systems for Federally Funded Care Providers,” August 7, 2006.
- “CIA-Backed Investment Stirs Health Privacy Fears,” Government Health IT, August 14, 2006.
- “Master Index Pitched as Patient ID Alternative,” Government Health IT, September 12, 2005.
- “Florida Health Fraud Case Breaks New Legal Ground,” Naplesnews.com, September 15, 2006.
[Back to Contents]
Patient Privacy Group Denounces Blue Cross Blue Shield Plan to Disclose De-identified Data of 79 Million Enrollees
Enrollees never agreed to disclosure of their medical and claims records and cannot opt-out
Patient Privacy Rights denounced Blue Cross Blue Shield’s plans to disclose [de-identified] data gathered from its enrollees. On August 4, 2006, Blue Cross and Blue Shield (BCBS) announced the creation of Blue Health Intelligence (BHI) comprised of claims and health information from 79 million plan enrollees and intends to disclose this data to employers, drug companies, device manufacturers, and other corporations. (See participating plans cited below.)
“This move by the Blues reveals what Americans can expect from an electronic health system because they no longer have the right to control access to their medical records. Their sensitive health records will be used for corporate profits and in ways that can directly harm them,” said Deborah C. Peel, M.D., founder and chair of Patient Privacy Rights, a national consumer privacy watchdog organization.
In a press release, Blue Cross and Blue Shield executives tout potential uses of the nation’s largest database of consumer health data as providing “a treasure trove of information that employers working with health plans can use to extract greater value for their health care dollars.”
In a conversation with Patient Privacy Rights, [Chief Medical Officer with BCBS of Minnesota] David Plocher, M.D., said that the intended use of the database is to “service the big employers that pay the bills and want to pay smaller bills for health insurance.” Further he said that he was “very enthralled about the ability to help multi-state employers fix their healthcare costs.” During the one and one-half years that BCBS has been building the BHI database, he had “never heard about privacy concerns.”
“Blue Cross is moving rapidly ahead with their plan to use—and we assume this means sell—the health data of 79 million [Americans] despite the moral, ethical, and legal violations this theft of personal data entails. Consumers agree to have their doctors share medical records with insurers only so that payment can be made. BCBS never asked consumers for informed consent to use their sensitive health records for any other purpose. Consumers’ expectations are crystal clear: we expect our medical records to remain private and we expect to control access to and uses of our sensitive health records,” Dr. Peel said.
Patient Privacy Rights states that, morally and ethically, sensitive medical records belong to patients. The patient privacy watchdog organization says that BCBS is acting in violation of state and common laws requiring consent before medical records are disclosed.
“Existing state laws do not say it’s OK to disclose medical records stripped of personal identifiers. In fact, there is great risk that de-identified records can be re-identified and no laws prohibit the re-identification of health data,” Dr. Peel said.
Patient Privacy Rights states that the BCBS plan to aggregate and disclose, sell and/or lease enrollees’ health data is wrong because:
- Consumers did not consent to the re-use of data that was disclosed only to pay claims.
- Consumers were not given the opportunity to opt-in or opt-out of the BHI database.
- Consumers do not have access to audit trails of disclosures of their data to other corporations beyond BCBS.
- Aggregating and using enrollees’ health data violates the Code of Fair Information Practices.
- The database violates medical ethics—patients were never asked for informed consent to have their data entered into the BHI database for uses BCBS did not specify or get consent for.
- The database violates state and common laws that require consent before the disclosure of medical records; there are no exceptions for de-identified records.
- Re-identification of data is not hard to do, subjecting consumers to risks of exposure, humiliation, credit loss, or to employer discrimination in hiring, firing and promotions.
- Operating without consumers’ permission, BCBS could decide to add other medical records in their possession to the BHI database, such as lab results, x-ray reports or films, clinical notes and records, etc.
“Consumers should be able to prevent information that was obtained for one purpose from being used or made available for other purposes without their consent,” said Dr. Peel.
The BHI database will provide a new and very lucrative profit stream for BCBS. Dr. Plocher told Patient Privacy Rights that BCBS “is still debating internally whether or not and how much to charge for access to the database.”
Other corporations that find it very profitable to sell identifiable health data without consent include IMS Health, which sold prescription data for revenues of $1.75 billion in 2005, and the AMA, which sold physician databases for $44.5 million in 2005.
Blue Cross and Blue Shield touts future benefits to consumers that will not be available in the beginning:
- In the future, the plan will allow consumers access to the database.
- In the future, the plan will allow consumers to make cost comparisons of doctors and treatments.
- In the future, the data can be used for research. (BCBS hired Harvard and Hopkins to suggest uses of the database for research; 6 studies are reportedly being planned.)
“We are for the smart uses of heath care electronic technology. We are for consumer access to their personal electronic records. We are for transparency in health care costs. We are for the huge benefits that can come from research using secure, de-identified databases. But, ONLY with consumer control of access to their data. Most Americans do not trust insurers to hold and protect their sensitive electronic medical records. And this distrust is earned when insurers do things like BCBS has done: taking our records and disclosing our records without first obtaining our informed consent,” Dr. Peel said.
BHI Participating Plans include:
- Arkansas Blue Cross and Blue Shield
- Blue Cross and Blue Shield of Rhode Island
- Blue Cross and Blue Shield of Alabama
- Blue Cross and Blue Shield of Florida
- Blue Cross and Blue Shield of Massachusetts
- Blue Cross and Blue Shield of Minnesota
- Blue Cross and Blue Shield of North Carolina
- Blue Cross and Blue Shield of South Carolina
- Blue Cross Blue Shield of Michigan
- Blue Cross Blue Shield of Nebraska
- Blue Cross of Idaho
- BlueCross BlueShield of Tennessee
- BlueCross BlueShield of Western New York/BlueShield of Northeastern New York (HealthNow New York, Inc.)
- Capital Blue Cross
- CareFirst BlueCross BlueShield (DC, DE, MD)
- Excellus BlueCross BlueShield
- Highmark Blue Cross and Blue Shield
- Independence Blue Cross
- The Blue Cross and Blue Shield Plans in IL, OK, NM, TX (Health Care Service Corporation)
- The Blue Cross or Blue Cross and Blue Shield Plans in CA, CO, CT, GA, IN, KY, ME, MO, NH, NV, NY, OH, VA, WI (WellPoint, Inc.)
- “Patient Privacy Group Denounces Blue Cross Blue Shield Plan to Disclose Health Data of 79 Million Enrollees,” Patient Privacy Rights press release, August 11, 2006.
[Back to Contents]
Congress Considers Important Health Privacy Legislation: Share Your Views
Although the likelihood of Congress passing health-care bills remains uncertain, CongressDaily reported (on September 25) that health-care IT legislation [H.R. 4157] “has the most promising prospects for passage before recess.” Congress plans to recess [on September 29] and return after the November 7 elections, according to the Kaiser Daily Health Policy Report. Thus, citizens who care about their health privacy should voice their own opinions to their members of Congress—and soon.
Jim Pyles, an attorney representing the American Psychoanalytic Association on health privacy matters, stresses that unless the following principles are upheld in the health-care IT bill, the legislation will not guarantee true health privacy:
Principles for Ensuring Health Privacy Rights
- Privacy standards [established by laws and regulations] should recognize that individuals have a right to health information privacy.
- An individual’s identifiable health information must not be disclosed or re-disclosed without his or her written or electronic consent (unless otherwise required by law).
- An individual should be allowed to limit the disclosure of certain especially sensitive health information (such as mental health, genetic, HIV/AIDS, and drug and alcohol treatment information) to only designated practitioners.
- An individual should not be coerced or compelled to disclose his or her entire health-care record as a condition of obtaining health-care treatment, insurance, or employment.
- The privacy protections must apply to any individual or entity that handles the information.
- The privacy protections must provide any individual with a right to obtain damages and other relief for a violation of the individual’s right to health information privacy.
- The privacy protections must require notification of actual or suspected privacy breaches to the individual whose privacy was compromised and to the [HHS] Secretary who should maintain a publicly accessible list of entities which have had privacy violations as well as the remedial action taken and any penalties that were imposed.
- The privacy protections should ensure that no practitioner will be required or coerced to disclose a patient’s identifiable health information in violation of the practitioner’s standards of medical or professional ethics.
- “Kaiser Daily Health Policy Report: Prospects Uncertain for Actions on Health Care IT Bill, Medicare Physician Payment Rate,” September 25, 2006.
- “Essential Privacy Principles for Quality Health Care,” by Jim Pyles (www.ppsv.com) on behalf of the American Psychoanalytic Association, September 2006.
- “Congress Set to Override State Medical Privacy Rights,” Health Freedom Watch, May 2006.
[Back to Contents]
President’s Message: Questions to Consider Regarding Universal Health Care
By Sue Blevins
With the number of uninsured Americans increasing, universal health care is again at the front of the national health policy debate. But as the nation prepares to choose its path, it is important to ask questions that often get ignored, but that affect each citizen personally.
Here are a few questions that our policymakers and opinion makers should consider:
The debate over universal health care is not simply about raising taxes to cover the uninsured. Creating a universal health-care system in the United States would have serious implications for each citizen’s freedom to choose his or her own health care and to maintain confidential relationships. We can’t afford to ignore the effect of universal health care on these freedoms.
- How does universal health care work in other countries? Do citizens have the freedom to choose their health-care providers and treatments without delays, rationing, or coercion?
- Do citizens really want to hand over their freedom to make personal health-care decisions to a collective organization (i.e., a national insurance program)?
- Should all citizens have to give up their freedom to contract privately for health care and maintain health privacy in order to serve national interests?
- At what point do individual rights end and public concerns begin?
- Is there a way to help cover those who can’t afford health insurance while allowing others to maintain their private insurance and confidentiality?
Sue A. Blevins is founder and president of the Institute for Health Freedom in Washington, D.C.
[Back to Contents]
Health Freedom Watch is published by the Insitute for Health Freedom. Editor: Sue Blevins; Assistant Editor: Deborah Grady. Copyright 2006 Institute for Health Freedom.