TESTIMONY BEFORE THE
PENNSYLVANIA SENATE COMMUNICATIONS AND
HIGH TECHNOLOGY COMMITTEE

Thank you, Mr. Chairman and Committee members, for holding this timely hearing on privacy and security in the information and technology age. I commend you for bringing together a diverse group of witnesses to introduce the Committee and the public to a broad range of privacy issues. Today, I am going to focus briefly on the critical issues of medical and genetic privacy in the information age.

Technological Advances Bring New Challenges

Today, the sacred doctor-patient relationship is in jeopardy. The incredible technological advancements that brought us high-tech, life-saving medical treatments have also increased the risk of medical privacy invasions. During the next few years, it is going to become increasingly easier to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. Many Americans are concerned about this ease of access and do not want third parties obtaining their personal medical information without their permission. In fact, a national survey highlights these concerns.

Gallup Survey on Medical Privacy

The national Gallup survey results show that an overwhelming majority of Americans do not want the government or other third parties to have access to their medical records—including genetic information—without their permission. The survey of 1,000 adults nationwide found that 78 percent say it is very important that their medical records be kept confidential. According to a majority of respondents, no third party should be permitted to see their records without permission. Key findings include:

• 92 percent oppose allowing governmental agencies access to patients' medical records without permission;
• 88 percent oppose letting police or lawyers review medical records without explicit consent;
• 84 percent say employers should not be allowed access to patients' medical records without permission; and
• 67 percent oppose researchers accessing patients' medical records without consent.

The national Gallup survey also included two important questions about genetic privacy.² One asked whether doctors should be allowed to test patients for genetic factors without their consent. Only 14 percent of respondents would permit such testing; 86 percent oppose it. The other question asked whether medical and governmental researchers should be allowed to study individuals' genetic information without first obtaining their permission. More than nine in ten adults (93%) feel medical and governmental researchers should first obtain permission before studying their genetic information.

What's more, when asked whether they are aware of a federal proposal to assign a medical identification number—similar to a Social Security number—to each American, only 12 percent said they had heard anything about it. College-educated adults (16%) are more likely than those with less than a college education (8%) to be aware of the proposal. Regardless of their knowledge about it, however, an overwhelming majority (91%) oppose the plan.

Even so, a federal law enacted in 1996—the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—laid the groundwork for assigning each and every American a "Unique Health Identifier," a patient ID number that could be used to track medical information from cradle to grave.³ That plan has been put on hold temporarily until the federal government establishes adequate privacy protections.

However, the new federal regulations that are supposed to protect patients' medical privacy actually permit a large number of individuals to access patients' records without their permission.⁴ And the federal regulations will preempt state medical privacy laws that are "contrary to" the HIPAA federal law, which establishes a national electronic health information system.

Thus if this Committee and the citizens of Pennsylvania do not want third parties accessing individuals' medical records without patients' consent, then you should become familiar with the federal rules and carefully examine how they could affect your state medical privacy laws.

Federal Medical Privacy Rules:
Do They Really Protect Patients' Privacy?

However, to increase efficiency and help pay medical claims faster, the federal rules allow many people and organizations access to individuals' personal medical records without consent, including, but not limited to:

• Banks
• Researchers
• Law enforcement officials
• Federal governmental agents
• Foreign governments collaborating with U.S. public health officials.

The rules actually mandate that every doctor and other health care practitioner share patients' records with the federal government—specifically HHS—without patient consent.⁵ The federal government has granted itself the authority to access an individual's psychotherapy notes in order to monitor compliance with the new rules.⁶ Ironically, this mandate will be enforced by the HHS Office for Civil Rights.⁷

Also, there is nothing in the rules that prohibits the federal government, state governments or private parties from compiling large databases of patient information without consent. What's worse, individuals cannot sue if their privacy is breached under the final federal medical privacy rule. Instead, the federal government imposes fines.

I think the penalties are perverse: if a patient's privacy is breached, the federal government collects money, but the patient gets nothing. Something is terribly wrong with this picture.

When one's medical privacy is breached, it affects more than just one's physical well being. Breaches of medical confidentiality can affect one's employment status, ability to purchase health insurance, and ability to acquire a personal or business loan. For example, think about how the following breaches (compiled by HHS) must have affected the individuals involved.

• A banker who also sat on a county health board gained access to patients' records, identified several people with cancer, and called in their mortgages.⁸
• A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt.⁹
• A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet.¹⁰

In each of these cases, do you think it is fair that the federal government should collect fines from the guilty parties, but the individual whose privacy was breached receives no compensation?

Genetic Privacy in the Information Age

The Pennsylvania legislature could prevent serious privacy invasions in the coming years by writing a law that defines clearly who owns one's DNA. Without this basic clarification, the line between genetic privacy and genetic ownership will remain fuzzy. For example, without a DNA ownership law, researchers theoretically could maintain one's genetic privacy but inappropriately use someone's DNA for cloning. In other words, a state law that addresses genetic privacy but ignores genetic ownership will not necessarily prevent individuals' genetic information from being used inappropriately.

Important Time for Addressing Medical and Genetic Privacy

Moreover, are the citizens of Pennsylvania thoroughly informed about how the new federal medical privacy rules are going to affect their right to privacy? I would venture to say that most hard- working people do not have the time to study this complicated issue and they certainly do not have time to read the 367-page rule. Instead, citizens are counting on their elected officials to make sure their state rights are not stripped away by new federal rules.

This Committee and the Pennsylvania legislature have some very critical issues to consider during the next year. To truly protect citizens' medical privacy in Pennsylvania, the legislature would need to:

1. Ensure that state medical-privacy laws are clearly more stringent, and not "contrary" to, the weak federal rules. This would include enforcing medical-privacy and genetic-ownership laws that require patients' consent before releasing their medical information—including genetic information—to third parties.
2. Ensure that the new federal rules do not preempt more stringent state laws.
3. Ensure reasonable and adequate compensation for individuals (not the federal or state government) if individuals' medical privacy is breached.

This Committee is probably going to hear a lot about the need to share patient medical information in order to protect the public's health. In view of that argument, it is important to note that we have seen incredible advancements in medical technology during the past 30 years when the United States enforced consent laws. Simply because we have new technology that facilitates the exchange of medical information electronically does not mean that we should eliminate the important legal concept of informed consent.

Any new law or regulation that strips Americans of their right to determine who sees their medical records goes against the will of the majority of citizens. Consent has always been viewed as a fundamental human right, and the national Gallup survey confirms that Americans strongly support that right when it comes to determining who can access their medical and genetic information.

As Americans, we cherish the freedom to confide in and maintain confidential relationships with our clergy and lawyers. Should we not also be free to maintain a sacred, confidential relationship with our doctors and other health-care practitioners? After all, the primary goal in seeking medical care is to be healed, not revealed.

Finally, I would like to note that until today, there has been little awareness as to how the new federal medical-privacy rules could affect the citizens of Pennsylvania. I commend this Committee for bringing these important issues to light. Thank you kindly for the opportunity to testify before this Committee during this groundbreaking hearing. I would be pleased to answer questions or provide additional materials for the record.