Interesting People mailing list archives
IP: Analysis of Jeffords Bill
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 11 Apr 1998 10:49:28 -0400
From: "Joel R. Reidenberg" <reidenberg () sprynet com> To: "Farber@Cis. Upenn. Edu" <farber () cis upenn edu Thought IPers would be interested in this analysis of the Jeffords Health Privacy Bill. I received it from a very knowledgeable and reliable source and find it to be a very thoughtful assessment that raises many troubling issues. JRR *********************************************** Joel R. Reidenberg Professor of Law and Director of Graduate Program Academic Affairs Fordham University School of Law 140 W. 62nd Street New York, NY 10023 (USA) Tel: 212-636-6843 Fax: 212-636-6899 Email: <reidenberg () sprynet com> Web: <http://home.sprynet.com/sprynet/reidenberg> *********************************************** + + + + + + + + + + + + + + + + + + + + + + + + + Analysis of S.1921 Health Care Personal Information Nondisclosure Act of 1998 SIGN OR DIE NOTE: This analysis was independently prepared by an individual who wishes to remain anonymous and may be circulated without limit provided that this disclaimer is included. This analysis may not be quoted or attributed to anyone. At the beginning of April, Senator Jeffords introduced a new health privacy bill (S.1921). Like other health privacy bills, Jeffords' proposal is long and complex. It contains one especially notable and troublesome new feature, and this analysis focuses on that feature and a few others. This is not a comprehensive review of the proposal. Coerced Consent - The biggest single problem with the bill is the patient authorization language in section 202. The effect of this language is to give health plans, employers, and providers the power to decide how patient information can be used and disclosed AND to force patients to agree to whatever the plans, employers, and providers decide. The proposal lacks clear statutory or regulatory limits on the power of health plans, employers, and providers to use and disclose identifiable health information to suit their own interests. Section 202 section provides that every employer offering a health plan, every health plan, and every provider MUST obtain from every individual a signed authorization. As a result, each individual covered by health insurance provided by an employer will be required to sign at least two separate authorization forms: one from the health plan and one from the employer. These are separate authorizations. The spouse of a worker must also sign an authorization, and a parent must sign on behalf of each covered child. Any individual seeking care from a provider may also be required to sign a separate authorization for each provider. Section 202 provides that the signed, written authorization "is a legal, informed authorization concerning the use and disclosure of protected health information for treatment, payment or health care operations." Thus, the terms of the law proclaim that the authorizations are both "legal" and "informed." However, nothing in the bill gives an individual any ability to refuse to sign or to bargain over the contents of the authorization. The law REQUIRES an employer, health plan, and provider to obtain an authorization. What happens if an individual refuses to sign an authorization? The bill would make signing an authorization a condition of enrollment in a health plan or of the provision of health care. As a result, it appears that an individual who refuses to sign loses health insurance or can be denied treatment. The legal requirement to obtain an authorization falls on the employer, health plan, and provider. Without an authorization, each would appear to be legally justified to deny insurance or treatment to anyone who refused to sign an authorization or who modified it in any way. For those who require either health insurance or health treatment, the policy in the Jeffords bill is sign the form or forego treatment or insurance. In other words, SIGN OR DIE. There is no opportunity for bargaining, for customizing an authorization to meet individual needs, or for opting out of a particular disclosure. This is not informed consent. There is nothing consensual about signing. The consent is coerced as a matter of federal law. SIGN OR DIE. Every employer, health plan, and provider can force an individual to sign an authorization form that permits a wide and nearly unlimited variety of uses of health information. Employers, plans, and providers can draft authorization forms to suit their own needs and requirements, without any regard for the interests of patients. Because patients have no choice but to sign, there is no meaningful external constraint on the scope of the authorizations. Scope of Authorizations - The bill provides expressly that the authorization obtained by employers must cover "treatment, payment, or health care operations." Authorizations obtained by health plans and by providers appear to have no similar limitations. Nothing in the Section 202 seems to limit use and disclosure to treatment, payment, or health care operations. However, the title of Section 202 suggests that the authorizations are for treatment, payment, or health care operations so it is likely that the intent is that authorizations obtained by plans and providers under this section are for those purposes. This may just be a drafting error. Disclosures for Treatment - The authorizations under Section 202 would cover disclosures for treatment. Some other health privacy proposals would permit nonconsensual disclosures for treatment. But they provide patients with an opt-out. Under other proposals, if a patient objects to a disclosure for treatment, that objection is effective. Under the Jeffords bill, a patient has no ability to object to any disclosure for treatment. Suppose, for example, that a patient does not want his/her record disclosed to a particular doctor because the patient and the doctor are related. Writing that restriction on the authorization form, however, could result in cancellation of insurance or denial of treatment. Under section 202, patients are afforded no opportunity to modify the authorization forms presented by employers, plans, and providers. A provider or health plan is under no obligation to agree to a patient's request to limit disclosures for treatment. Another hypothetical: Suppose that an employer's authorization form permits disclosure of all patient information as a treatment disclosure to the employer's in-house medical staff. The authority would allow the staff to obtain records of treatment obtained by the employee anywhere else. The employer will say that the disclosure is justified because in-house staff may be called upon to provide treatment in emergencies or otherwise. The consequence is that an employer could force an employee to consent to the routine disclosure of an entire medical record to the employer. An individual cannot refuse to sign an authorization form for treatment. However, an individual can apparently revoke an authorization for treatment. Section 202(c) allows for revocation of authorizations. If a patient signs an authorization and then revokes it in whole or in part, it is not clear what the consequences are. The bill makes signing an authorization form a condition of enrollment in a health plan. If an individual can revoke consent for disclosures for treatment, then the concerned individual could do so immediately after signing the required form. This would make the federally mandated consent a nullity. It is unclear how the "condition of enrollment" language meshes with the revocation authority. Disclosures for Payment - The authorizations required under section 202 would cover disclosures for payment. Some other legislative proposals would permit nonconsensual disclosures for payment. But they provide that if a patient and provider arrange for payment other than through an insurance company, then disclosures for payment are not permitted. In other words, a patient can agree to pay out of pocket without an insurer or employer learning about it. The Jeffords proposal does not allow an individual to refuse to sign a consent for disclosure for payment under any circumstances. However, the individual may later revoke that consent. Section 202(c)(1) says that an individual may revoke an authorization unless disclosure is necessary for payment for health care already provided and for which the individual has not agreed to assume financial responsibility. The requirement for signing and later revocation is crucial because it makes it much more difficult for a patient to exercise control. Suppose, for example, a patient pays for psychiatric care without relying on insurance. The careful patient, having signed the initial, required authorization form, then revokes it in part so that it no longer covers the psychiatric care. This appears to be permissible. But if on renewal of the health policy or on a subsequent visit to the psychiatrist's office or to another health care office, the patient signs the standard authorization again, failure to renew the revocation will vitiate the initial revocation and make the records now available for a subsequent payment disclosure. The structure of the Jeffords bill makes it particularly difficult for patients who want to pay for their own care to prevent information from slipping into the payment system. Disclosures for Health Care Operations - This is the biggest loophole in section 202 because of the lack of specific definitions. Health care operations are defined to include any services provide by or on behalf of a health plan or provider for the purpose of carrying out the management function or implementing the terms of a contract for benefits. In other words, an individual can be required to "agree" to disclosures for any management functions without restriction. Health care operations include (but presumably are not limited to): quality assurance activities and outcomes assessments; reviewing competency of health care professionals; accreditation, licensing, or credentialing activities; analysis of health plan claims or health care records data; evaluating health plan and provider performance; utilization review and precertification; underwriting; and auditing. The long list of permissible disclosures uses terms that are mostly undefined and could include virtually any type of use or disclosure that an employer, plan, or provider might want to make to satisfy its own institutional needs. For example, a disclosure for outcomes assessment could allow the entire medical record of an employee or an employee's family to be disclosed to the employer without notice, restriction or limitation. Similarly, disclosures to employers could fall under evaluating plan and provider performance. An employer might even disclose patient information to an employee's supervisor by claiming that it wants to obtain the supervisor's opinion on the performance of the employee's provider. Pharmacy Disclosures - Recent press stories highlighted how some pharmacies were making disclosures of patient information without consent for marketing purposes. It appears that the Jeffords bill wants to make it impossible for a provider to use the Section 202 authorization procedure to collect patient authorization for this purpose. Section 202(f) provides that authorization may not authorize disclosures "with the intent to sell, transfer, or use protected health information for commercial advantage." But this language may not provide adequate protection for patients. First, the language of section 202(f) limits disclosure and not use. The Jeffords bill is not clear on whether a distinction between internal use and external disclosure is meaningful. Assuming that it is a real difference, a drug manufacturer that owned a pharmacy could obtain the information because it is still within the same company. Another way to accomplish the same purpose might be for the manufacturer or the third party company to become an agent of the health plan. Then the disclosure might not be restricted because it is an internal use. Second, the term "commercial advantage" is not defined. Regardless, it provides no real limitation since any disclosure for disease system management could be justified -- rightly or wrongly -- as a treatment disclosure benefitting the patient or as part of a management function. As long as there is another intent for the disclosure, the restriction on disclosures for commercial advantage might not apply. Third, given the complex relationships between health care institutions, a disclosure of patient records might involve no overt payment or identifiable commercial advantage, but a pharmaceutical manufacturer could provide hidden discounts or benefits to cooperating plans or providers. The limitation in Section 202(f) offers little assurance that patient data will not be widely circulated to marketers or used for marketing purposes by a provider, plan or employer. If a pretext is found for including the disclosure in the authorization form that must be signed, then the disclosure with be "authorized." Revocation - Section 202(c)(2) discusses the revocation of an authorization given to a health plan. It is not clear whether a patient can revoke an authorization for disclosures for health care operations. Nothing in this section appears to restrict a patient's ability to revoke. A careful patient required to sign an authorization form might immediately revoke it. Whether this would permit a health plan to terminate coverage is not clear. However, other revocation language suggests that revocation of the authority is not an allowable result. When an individual cancels or fails to renew enrollment in the plan, the authorization is deemed to be revoked, except as may be necessary to complete health care operations and payment requirements related to the individual's period of enrollment. This suggests that the intent of the bill is that an affirmative revocation might not be able to cover health plan operation disclosures. It is not clear. Still, the revocation provision has several different consequences for both patient and health plans. First, when a patient switches a health plan, any existing authorization for treatment disclosures is revoked. So when an individual moves to another plan and another doctor, the previous authorization that would have permitted transfer of treatment records is no longer valid. New paperwork is required for the treatment disclosure. Second, revocation-by-cancellation places health plans in a precarious position. Suppose that a health plan want to use the record of a former enrollee in auditing, licensing, outcomes assessment, or for other health care operations purposes. Records of current enrollees (active revocation aside) could be used because of the signed authorization. But for former enrollees, use is permitted only "as may be necessary to complete health care operations." Each former enrollee's record would have to be identified, and a determination made that the record is "necessary" for the proposed use. Further, the term "complete" suggests that the exception to revocation is limited. Thus, it would be hard for a health plan to argue that a two, three, or ten year old patient record is needed to "complete" an outcomes assessment. Each patient could argue that any health care operation could be accomplished just as well without his or her individual record. The result is that health plans have a problem if they want to use records of former enrollees for operational purposes other than payment. They could easily be sued by patients who object that the uses no longer fall under the revoked authorization even with the statutory limitation. Because the disclosure authority for all health care operations is based SOLELY on each patient's authorization, that authority can and will expire. The revocation provision could also affect treatment. A treatment authorization may cover the treatment of patients other than the record subject. A physician treating a patient may look at records of other patients with similar conditions to learn what treatments were effective. Some other proposals would allow this type disclosure for treatment of other patients unless the subject of a record has objected. Once the authorization is revoked by cancellation of the health plan, the disclosure of a health record for treatment of others would no longer be permitted. Coerced consent does nothing to protect the privacy rights of patients. As proposed in S.1921, it also places health plans and employers at risk if they use the records of former enrollees. Conclusion - Not all of the disclosures that a patient would be forced to consent to under the S.1921 coerced consent language are necessarily objectionable. Many other proposals authorize similar disclosures. What is objectionable is the legal requirement that patients MUST sign consent forms authorizing disclosure. A patient who seeks to modify a mandatory authorization form or to question its content runs the risk of having insurance coverage terminated or being denied treatment. Section 202 of the Jeffords bill provides employers, health plans, and providers with nearly unlimited ability to use and disclose patient records as they see fit. As a result, it does little to improve privacy protections for individuals. Patients will be forced to sign away their possible privacy interests. The coerced consent model offers the appearance of patient privacy while really only protecting the interests of those who seek to exploit patient data in nearly any way that they see fit. Other proposals define uses and disclosures in statute. By relying on a statute for definitions, there will be an objective, external standard to regulate patient records. Under the coerced consent model, the employers, plans, and providers are able to make choices about how records are used and disclosed, without regard for patient need or statutory limitations. They can force patients to agree and make it difficult or impossible to for patients to challenge the authorization forms or to hold anyone accountable for uses and disclosures. The fundamental issue is not whether there should be limits on the use of health records. Everyone agrees that there should be. The real issue is who sets those limits. S.1921 allows health plans, employers, and providers to define how records can be used without any participation by patients or external controls. A better answer is to establish limits in legislation so that privacy policy is made by the Congress and so that patients have a greater say in nonessential uses. Coerced consent abdicates the responsibility of Congress to establish protections for patient privacy. S.1921 turns the responsibility over to health plans, employers, and providers. This is a fundamental flaw in approach, and it will not further patient privacy interests at all. In some ways, it is even a step back from the current rules that afford few protections to patients. Audit Trails - Suppose that health care information is disclosed to an employer and shared by the employer with an employee's supervisor. How can an employee find out that this has occurred? Section 112 requires the maintenance of audit trails. But the requirement only applies to EXTERNAL disclosures. In the workplace, there is no way to learn if records have been seen by any person who works for the entity maintaining the record. In a hospital setting, this mean that if a celebrity is admitted, the hospital need not keep track of any hospital employee who looks at that celebrity's record. If the record then becomes public, the celebrity will have no way to document who saw the record. Law Enforcement - Those who follow health privacy issues will recall that the proposal from the Secretary of Health and Human Services was heavily criticized by some members of Congress and in the press. The objection was that the proposal would allow law enforcement access to and use of patient records without any change from current practice. The Jeffords bill has some features that represent a marginal improvement over the Secretary's proposal. Nevertheless, the bill fails to meaningfully restrict law enforcement access and use and adds a new element that manages to produce a result even worse that the Secretary's proposal. Section 210 permits disclosures for law enforcement purposes. Disclosures pursuant to subpoenas and warrants require probable cause to believe that the information sought is relevant to a law enforcement inquiry. But Section 210(a)(3) allows disclosures in response to "a request otherwise authorized by State or Federal law." This has virtually no meaning. Law enforcement agencies will argue that they are authorized to request any health record under their general investigative authority. A law enforcement officer may claim that he or she is entitled to enter any hospital and ask for any patient record. Section 210(a)(3) authorizes the hospital to make the disclosure. No process is required. There is no probable cause requirement, no new standard, no new procedure, or no notice to the patient. Section 210(f) includes language excluding from evidence any information obtained unlawfully. This is, for the most part, present law. However, because the bill makes it so easy to obtain information without any standards or procedures under Section 210(a)(3), the exclusion has little effect. Further, it does little to protect patients. Consider a patient whose physician is the target of a fraud investigation. The patient's record is lawfully obtained by the law enforcement agency. The record is not excludable under the Jeffords exclusionary rule. Anything that a patient tells a physician can be used against the patient. The exclusionary rule affords no real protection to any physician-patient communication. Because federal law enforcement agencies have authority to obtain EVERY health record in the country, every revelation by a patient to a doctor may be accessed and used against the patient in all circumstances. The worst new law enforcement feature of the Jeffords bill is found in Section 215. Law enforcement officers who violate the law would not be personally liable unless the violation was a result of intentional conduct committed with the intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm. A law enforcement official who illegally and negligently disclosed health care records would not be liable. An investigator who exposed millions of health records to public view by negligently leaving the records in a public file on the Internet would not be liable to anyone. No other person who obtains health information under the bill would be immune from responsibility for their conduct. ##########################
Current thread:
- IP: Analysis of Jeffords Bill Dave Farber (Apr 11)