Health and human services "privacy" standards: the coming destruction of American medical privacy.

• Author: Twight, Charlotte

Federal privacy regulations issued by the Clinton administration on December 28, 2000, and adopted by the Bush administration on April 14, 2001, perpetrate a fraud on the American people, proclaiming privacy as their goal when ever-wider access to individual medical records is their actual and intended effect. In this article, I document the stark contrast between what Americans want and what they are getting from the federal government with respect to medical privacy, examining how and why that incongruity emerged.

Recently, the high value that ordinary Americans place on medical privacy was shown in a September 2000 Gallup poll sponsored by the Institute for Health Freedom, in which the respondents strongly opposed unauthorized access to medical records. Seventy-eight percent regarded the protection of the confidentiality of their medical records as "very important"; 91 percent opposed government-mandated medical identification numbers; and 88 percent opposed storing patient medical records in a national computerized database for use without the patient's permission. Questioned about who should be allowed to see individuals' medical records without their consent, 92 percent of the respondents opposed access by government agencies, 88 percent by law enforcers ("police or lawyers"), 95 percent by banks, 84 percent by employers, and 67 percent by medical researchers. Fully 95 percent agreed that doctors and hospitals should be required to obtain an individual's permission before storing his medical records in a national computerized database (Gallup Organization 2000).

Ironically, unbeknown to the majority of respondents, most of the threats to medical privacy mentioned in the Gallup survey had already been either enacted into law or proposed as part of regulatory efforts to implement existing law. Yet only 16 percent of those surveyed had heard of new federal laws and regulations changing the rules regarding access to personal medical records, and 87 percent were not aware of a "federal proposal to assign medical identification numbers, similar to a social security number, to you and all other Americans to create a national database of medical records" (Gallup Organization 2000, 8, 12-13).

However, the laws were already on the books, and their implementation was accelerating. In April 2001, federal regulations adopted in the name of medical privacy further expanded access to individually identifiable medical records, without patient permission, by some of the very groups whose unauthorized access Americans most strongly oppose. How did this widely opposed result come about?

"Administrative Simplification" and the Erosion of Medical Privacy

The federal legislation underlying the new regulations is part of the Health Insurance Portability and Accountability Act (HIPAA), commonly known as the Kennedy-Kassebaum bill (Public Law 104-191, August 21, 1996). Enacted in 1996 with virtually no opposition, HIPAA seemed to foreshadow only good things--at least, it did so if one listened only to government officials and to the popular press. Members of Congress, the president, and the news media repeatedly emphasized HIPAA's appealing objectives, chief among them reduction of the "job lock" that tied many workers to their existing employment for fear of losing insurance coverage if they switched jobs.

Prior to HIPAA's passage, however, lawmakers and the press seldom told the public about the act's more ominous side--privacy-threatening provisions buried in a section entitled "Administrative Simplification," which included some of the most feared elements of the rejected 1993 Clinton health security bill. Copied almost verbatim from the 1993 bill were HIPAA's requirements for uniform electronic databases of personal medical information nationwide and for the creation of a "unique health identifier" for every American. The 1996 act empowered the federal government, at its discretion, to require detailed information on what lawmakers called "encounters" between doctors and patients. The secretary of the U.S. Department of Health and Human Services (HHS) was to adopt standards to enable "health information"--that is, everything a doctor, employer, university, or life insurer ever learns about an individual--"to be exchanged electronically." The legislation aimed to create a "health information system" through the "establishment of standards and requirements for the electronic transmission of certain health information" by medical practitioners (Public Law 104-191, Title II). The issuance of privacy regulations to protect this new electronic flow of personally identifiable medical information was not required until three and a half years after the passage of HIPAA. (1) Yet dissent--or even attention to these provisions--scarcely arose.

In the winter 1998 issue of The Independent Review, I analyzed HIPAA's privacy-threatening provisions and showed that provisions related to a medical ID number and to an electronic database--along with broad new civil and criminal punishments potentially applicable to honest doctors acting in the best interest of their patients--gained passage by means of the same political tactics that had facilitated enactment of the original Medicare law in 1965 (Twight 1998). Misrepresentation, the tying of unpopular measures to popular ones, incrementalism, and other forms of political transaction-cost manipulation were as instrumental in 1996 as they had been in 1965. It was emblematic of these strategies that the electronic database and health-identifier provisions were tucked in the back of the law under the rubric "administrative simplification."

These statutory provisions have spawned an outpouring of new regulations that will soon destroy our medical privacy. The same tactics that spawned Medicare and HIPAA are being employed again in the regulatory implementation phase of HIPAA.

HIPAA Regulations: Privacy and the Standardization of Medical Records

Congress did not formulate the medical privacy standards that took effect in April 2001. Instead, it delegated that responsibility, along with other duties under HIPAA, to HHS. Between 1996 and 2000, HHS released HIPAA-based regulatory packages one by one: hundreds of pages of proposed rules, explanations of proposed rules, responses to public comments on proposed rules, preliminary releases of final rules, actual final rules, explanations of final rules, and much else. The HHS fine print fills a stack of paper already more than nine inches high and still growing, unapproachable and surely indecipherable by the average citizen. But why should ordinary people bother to read it anyway? Media and government sources continue to assert the benign nature of the new regulations, which are said to promise cost savings through database standardization along with protection of people's medical privacy. Why be concerned?

One reason for concern is that recent HHS regulations have created an architecture for the standardization of our medical records that facilitates their integration into comprehensive medical portraits of individuals. Carrying out its HIPAA mandate, HHS in August 2000 published a final rule titled "Standards for Electronic Transactions" (hereafter, the "transactions rule"), a regulatory package that specifies uniform nationwide formats and codes for electronic medical records (U.S. Dept. of HHS HCFA 2000).

Although data formats and codes may sound boring and technical, they lie at the heart of the federal government's current quest to acquire centralized medical data about us. Intended to standardize most electronic medical records nationwide, the transactions rule makes it much easier to transmit and combine medical information about an individual from diverse sources. Calling it the "most dangerous aspect of the new regulations," Representative Ron Paul (R.-Tex.), a physician, stated:

All health care providers, including private physicians, insurance companies, and HMOs, will be forced to use a standard data format for patient records. Once standardized information is entered into a networked government database, it will be virtually impossible to prevent widespread dissemination of that information.... The truth is that a centralized database will make it far easier for both government agencies and private companies to access your health records. (Paul 2001) Even HHS secretary Donna Shalala acknowledged the threat to privacy created by the transactions rule, stressing the importance of adopting privacy rules to offset it. HHS stated, "If the privacy standards are substantially delayed, or if Congress fails to adopt comprehensive and effective privacy standards that supercede [sic] the standards we are developing, we would seriously consider suspending the application of the transaction standards or taking action to withdraw this rule" (U.S. Dept. of HHS HCFA 2000, 50365; my emphasis). How often does one encounter a federal agency that, having just created a regulation, immediately expresses a willingness to suspend it?

A close reading of the transactions rule clarifies the reasons for these extraordinary expressions of concern. The transactions rule mandates nationwide use of specific, standardized code sets for recording medical information (data elements) applicable to "standard transactions." The eight identified standard transactions are:

* Health care claims or equivalent encounter information

* Eligibility for a health plan

* Referral certification and authorization

* Health care claim status

* Enrollment and disenrollment in a health plan

* Health care payment and remittance advice

* Health plan premium payments

* Coordination of benefits (U.S. Dept. of HHS HCFA 2000, 50370-72)

These categories are broadly defined. "Health care claims or equivalent encounter information," for example, include not only actual reimbursement claims but also, in the absence of any direct claim, "the transmission of encounter information for the...