IP: Analysis of Jeffords Bill

[Dave Farber <farber () cis upenn edu>]

From: "Joel R. Reidenberg" <reidenberg () sprynet com>
To: "Farber@Cis. Upenn. Edu" <farber () cis upenn edu


Thought IPers would be interested in this analysis of the 
Jeffords Health Privacy Bill.  I received it from a very
knowledgeable and reliable source and find it to be a very 
thoughtful assessment that raises many troubling issues. 


JRR


***********************************************


Joel R. Reidenberg
Professor of Law and Director of Graduate
  Program Academic Affairs
Fordham University School of Law
140 W. 62nd Street
New York, NY 10023 (USA)
Tel: 212-636-6843
Fax: 212-636-6899


Email: <reidenberg () sprynet com>
Web: <http://home.sprynet.com/sprynet/reidenberg>


***********************************************




+ + + + + + + + + + + + + + + + + + + + + + + + +


                       Analysis of S.1921
     Health Care Personal Information Nondisclosure Act of 1998


                           SIGN OR DIE


NOTE:  This analysis was independently prepared by an individual
who wishes to remain anonymous and may be circulated without
limit provided that this disclaimer is included.  This analysis
may not be quoted or attributed to anyone.  


     At the beginning of April, Senator Jeffords introduced a new
health privacy bill (S.1921).  Like other health privacy bills,
Jeffords' proposal is long and complex.  It contains one
especially notable and troublesome new feature, and this analysis
focuses on that feature and a few others.  This is not a
comprehensive review of the proposal.


     Coerced Consent - The biggest single problem with the bill
is the patient authorization language in section 202.  The effect
of this language is to give health plans, employers, and
providers the power to decide how patient information can be used
and disclosed AND to force patients to agree to whatever the
plans, employers, and providers decide.  The proposal lacks clear
statutory or regulatory limits on the power of health plans,
employers, and providers to use and disclose identifiable health
information to suit their own interests.


     Section 202 section provides that every employer offering a
health plan, every health plan, and every provider MUST obtain
from every individual a signed authorization.  As a result, each
individual covered by health insurance provided by an employer
will be required to sign at least two separate authorization
forms:  one from the health plan and one from the employer. 
These are separate authorizations.  The spouse of a worker must
also sign an authorization, and a parent must sign on behalf of
each covered child.  Any individual seeking care from a provider
may also be required to sign a separate authorization for each
provider.


     Section 202 provides that the signed, written authorization
"is a legal, informed authorization concerning the use and
disclosure of protected health information for treatment, payment


or health care operations."  Thus, the terms of the law proclaim
that the authorizations are both "legal" and "informed." 
However, nothing in the bill gives an individual any ability to
refuse to sign or to bargain over the contents of the
authorization.  The law REQUIRES an employer, health plan, and
provider to obtain an authorization.  


     What happens if an individual refuses to sign an
authorization?  The bill would make signing an authorization a
condition of enrollment in a health plan or of the provision of
health care.  As a result, it appears that an individual who
refuses to sign loses health insurance or can be denied
treatment.  The legal requirement to obtain an authorization
falls on the employer, health plan, and provider.  Without an
authorization, each would appear to be legally justified to deny
insurance or treatment to anyone who refused to sign an
authorization or who modified it in any way.


     For those who require either health insurance or health
treatment, the policy in the Jeffords bill is sign the form or
forego treatment or insurance.  In other words, SIGN OR DIE. 
There is no opportunity for bargaining, for customizing an
authorization to meet individual needs, or for opting out of a
particular disclosure.  This is not informed consent.  There is
nothing consensual about signing.  The consent is coerced as a
matter of federal law.  SIGN OR DIE.


     Every employer, health plan, and provider can force an
individual to sign an authorization form that permits a wide and
nearly unlimited variety of uses of health information. 
Employers, plans, and providers can draft authorization forms to
suit their own needs and requirements, without any regard for the
interests of patients.  Because patients have no choice but to
sign, there is no meaningful external constraint on the scope of
the authorizations.


     Scope of Authorizations - The bill provides expressly that
the authorization obtained by employers must cover "treatment,
payment, or health care operations."  Authorizations obtained by
health plans and by providers appear to have no similar
limitations.  Nothing in the Section 202 seems to limit use and
disclosure to treatment, payment, or health care operations. 
However, the title of Section 202 suggests that the
authorizations are for treatment, payment, or health care
operations so it is likely that the intent is that authorizations
obtained by plans and providers under this section are for those
purposes.  This may just be a drafting error.


     Disclosures for Treatment - The authorizations under Section
202 would cover disclosures for treatment.  Some other health
privacy proposals would permit nonconsensual disclosures for
treatment.  But they provide patients with an opt-out.  Under
other proposals, if a patient objects to a disclosure for
treatment, that objection is effective.  Under the Jeffords bill,
a patient has no ability to object to any disclosure for
treatment.  


     Suppose, for example, that a patient does not want his/her
record disclosed to a particular doctor because the patient and
the doctor are related.  Writing that restriction on the


authorization form, however, could result in cancellation of
insurance or denial of treatment.  Under section 202, patients
are afforded no opportunity to modify the authorization forms
presented by employers, plans, and providers.  A provider or
health plan is under no obligation to agree to a patient's
request to limit disclosures for treatment.


     Another hypothetical:  Suppose that an employer's
authorization form permits disclosure of all patient information
as a treatment disclosure to the employer's in-house medical
staff.  The authority would allow the staff to obtain records of
treatment obtained by the employee anywhere else.  The employer
will say that the disclosure is justified because in-house staff
may be called upon to provide treatment in emergencies or
otherwise.  The consequence is that an employer could force an
employee to consent to the routine disclosure of an entire
medical record to the employer.  


     An individual cannot refuse to sign an authorization form
for treatment.  However, an individual can apparently revoke an
authorization for treatment.  Section 202(c) allows for
revocation of authorizations.  If a patient signs an
authorization and then revokes it in whole or in part, it is not
clear what the consequences are.  


     The bill makes signing an authorization form a condition of
enrollment in a health plan.  If an individual can revoke consent
for disclosures for treatment, then the concerned individual
could do so immediately after signing the required form.  This
would make the federally mandated consent a nullity.  It is
unclear how the "condition of enrollment" language meshes with
the revocation authority.


     Disclosures for Payment - The authorizations required under
section 202 would cover disclosures for payment.   Some other
legislative proposals would permit nonconsensual disclosures for
payment.  But they provide that if a patient and provider arrange
for payment other than through an insurance company, then
disclosures for payment are not permitted.  In other words, a
patient can agree to pay out of pocket without an insurer or
employer learning about it.  


     The Jeffords proposal does not allow an individual to refuse
to sign a consent for disclosure for payment under any
circumstances.  However, the individual may later revoke that
consent.  Section 202(c)(1) says that an individual may revoke an
authorization unless disclosure is necessary for payment for
health care already provided and for which the individual has not
agreed to assume financial responsibility.  


     The requirement for signing and later revocation is crucial
because it makes it much more difficult for a patient to exercise
control.  Suppose, for example, a patient pays for psychiatric
care without relying on insurance.  The careful patient, having
signed the initial, required authorization form, then revokes it
in part so that it no longer covers the psychiatric care.  This
appears to be permissible.  But if on renewal of the health
policy or on a subsequent visit to the psychiatrist's office or
to another health care office, the patient signs the standard


authorization again, failure to renew the revocation will vitiate
the initial revocation and make the records now available for a
subsequent payment disclosure.  The structure of the Jeffords
bill makes it particularly difficult for patients who want to pay
for their own care to prevent information from slipping into the
payment system.


     Disclosures for Health Care Operations - This is the biggest
loophole in section 202 because of the lack of specific
definitions.  Health care operations are defined to include any
services provide by or on behalf of a health plan or provider for
the purpose of carrying out the management function or
implementing the terms of a contract for benefits.  


     In other words, an individual can be required to "agree" to
disclosures for any management functions without restriction. 
Health care operations include (but presumably are not limited
to):


     quality assurance activities and outcomes assessments; 


     reviewing competency of health care professionals;


     accreditation, licensing, or credentialing activities;


     analysis of health plan claims or health care records data;
     
     evaluating health plan and provider performance; 


     utilization review and precertification; 


     underwriting; and


     auditing.


     The long list of permissible disclosures uses terms that are
mostly undefined and could include virtually any type of use or
disclosure that an employer, plan, or provider might want to make
to satisfy its own institutional needs.  


     For example, a disclosure for outcomes assessment could
allow the entire medical record of an employee or an employee's
family to be disclosed to the employer without notice,
restriction or limitation.  Similarly, disclosures to employers
could fall under evaluating plan and provider performance.  An
employer might even disclose patient information to an employee's
supervisor by claiming that it wants to obtain the supervisor's
opinion on the performance of the employee's provider.


     Pharmacy Disclosures - Recent press stories highlighted how
some pharmacies were making disclosures of patient information
without consent for marketing purposes.  It appears that the
Jeffords bill wants to make it impossible for a provider to use
the Section 202 authorization procedure to collect patient
authorization for this purpose.  Section 202(f) provides that
authorization may not authorize disclosures "with the intent to
sell, transfer, or use protected health information for
commercial advantage."  


     But this language may not provide adequate protection for
patients.  First, the language of section 202(f) limits
disclosure and not use.  The Jeffords bill is not clear on
whether a distinction between internal use and external
disclosure is meaningful.  Assuming that it is a real difference,
a drug manufacturer that owned a pharmacy could obtain the
information because it is still within the same company.  Another
way to accomplish the same purpose might be for the manufacturer
or the third party company to become an agent of the health plan. 
Then the disclosure might not be restricted because it is an


internal use.  


     Second, the term "commercial advantage" is not defined. 
Regardless, it provides no real limitation since any disclosure
for disease system management could be justified -- rightly or
wrongly -- as a treatment disclosure benefitting the patient or
as part of a management function.  As long as there is another
intent for the disclosure, the restriction on disclosures for
commercial advantage might not apply.


     Third, given the complex relationships between health care
institutions, a disclosure of patient records might involve no
overt payment or identifiable commercial advantage, but a
pharmaceutical manufacturer could provide hidden discounts or
benefits to cooperating plans or providers.  The limitation in
Section 202(f) offers little assurance that patient data will not
be widely circulated to marketers or used for marketing purposes
by a provider, plan or employer.  If a pretext is found for
including the disclosure in the authorization form that must be
signed, then the disclosure with be "authorized."


     Revocation - Section 202(c)(2) discusses the revocation of
an authorization given to a health plan.  It is not clear whether
a patient can revoke an authorization for disclosures for health
care operations.  Nothing in this section appears to restrict a
patient's ability to revoke.  A careful patient required to sign
an authorization form might immediately revoke it.  Whether this
would permit a health plan to terminate coverage is not clear. 
However, other revocation language suggests that revocation of
the authority is not an allowable result.


     When an individual cancels or fails to renew enrollment in
the plan, the authorization is deemed to be revoked, except as
may be necessary to complete health care operations and payment
requirements related to the individual's period of enrollment. 
This suggests that the intent of the bill is that an affirmative
revocation might not be able to cover health plan operation
disclosures.  It is not clear.


     Still, the revocation provision has several different
consequences for both patient and health plans.  First, when a
patient switches a health plan, any existing authorization for
treatment disclosures is revoked.  So when an individual moves to
another plan and another doctor, the previous authorization that
would have permitted transfer of treatment records is no longer
valid.  New paperwork is required for the treatment disclosure.


     Second, revocation-by-cancellation places health plans in a
precarious position.  Suppose that a health plan want to use the
record of a former enrollee in auditing, licensing, outcomes
assessment, or for other health care operations purposes. 
Records of current enrollees (active revocation aside) could be
used because of the signed authorization.  But for former
enrollees, use is permitted only "as may be necessary to complete
health care operations."  Each former enrollee's record would
have to be identified, and a determination made that the record
is "necessary" for the proposed use.  


     Further, the term "complete" suggests that the exception to
revocation is limited.  Thus, it would be hard for a health plan


to argue that a two, three, or ten year old patient record is
needed to "complete" an outcomes assessment.  Each patient could
argue that any health care operation could be accomplished just
as well without his or her individual record.


     The result is that health plans have a problem if they want
to use records of former enrollees for operational purposes other
than payment.  They could easily be sued by patients who object
that the uses no longer fall under the revoked authorization even
with the statutory limitation.  Because the disclosure authority
for all health care operations is based SOLELY on each patient's
authorization, that authority can and will expire.


     The revocation provision could also affect treatment.  A
treatment authorization may cover the treatment of patients other
than the record subject.  A physician treating a patient may look
at records of other patients with similar conditions to learn
what treatments were effective.  Some other proposals would allow
this type disclosure for treatment of other patients unless the
subject of a record has objected.  Once the authorization is
revoked by cancellation of the health plan, the disclosure of a
health record for treatment of others would no longer be
permitted.  


     Coerced consent does nothing to protect the privacy rights
of patients.  As proposed in S.1921, it also places health plans
and employers at risk if they use the records of former
enrollees.


     Conclusion - Not all of the disclosures that a patient would
be forced to consent to under the S.1921 coerced consent language
are necessarily objectionable.  Many other proposals authorize
similar disclosures.  What is objectionable is the legal
requirement that patients MUST sign consent forms authorizing
disclosure.  A patient who seeks to modify a mandatory
authorization form or to question its content runs the risk of
having insurance coverage terminated or being denied treatment.


     Section 202 of the Jeffords bill provides employers, health
plans, and providers with nearly unlimited ability to use and
disclose patient records as they see fit.  As a result, it does
little to improve privacy protections for individuals.  Patients
will be forced to sign away their possible privacy interests. 
The coerced consent model offers the appearance of patient
privacy while really only protecting the interests of those who
seek to exploit patient data in nearly any way that they see fit.


     Other proposals define uses and disclosures in statute. 
By relying on a statute for definitions, there will be an
objective, external standard to regulate patient records.  Under
the coerced consent model, the employers, plans, and providers
are able to make choices about how records are used and
disclosed, without regard for patient need or statutory
limitations.  They can force patients to agree and make it
difficult or impossible to for patients to challenge the
authorization forms or to hold anyone accountable for uses and
disclosures.


     The fundamental issue is not whether there should be limits
on the use of health records.  Everyone agrees that there should


be.  The real issue is who sets those limits.  S.1921 allows
health plans, employers, and providers to define how records can
be used without any participation by patients or external
controls.  A better answer is to establish limits in legislation
so that privacy policy is made by the Congress and so that
patients have a greater say in nonessential uses.


     Coerced consent abdicates the responsibility of Congress to
establish protections for patient privacy.  S.1921 turns the
responsibility over to health plans, employers, and providers. 
This is a fundamental flaw in approach, and it will not further
patient privacy interests at all.  In some ways, it is even a
step back from the current rules that afford few protections to
patients.


     Audit Trails - Suppose that health care information is
disclosed to an employer and shared by the employer with an
employee's supervisor.  How can an employee find out that this
has occurred?  Section 112 requires the maintenance of audit
trails.  But the requirement only applies to EXTERNAL
disclosures.  In the workplace, there is no way to learn if
records have been seen by any person who works for the entity
maintaining the record.  In a hospital setting, this mean that if
a celebrity is admitted, the hospital need not keep track of any
hospital employee who looks at that celebrity's record.  If the
record then becomes public, the celebrity will have no way to
document who saw the record.
     
     Law Enforcement - Those who follow health privacy issues
will recall that the proposal from the Secretary of Health and
Human Services was heavily criticized by some members of Congress
and in the press.  The objection was that the proposal would
allow law enforcement access to and use of patient records
without any change from current practice.  The Jeffords bill has
some features that represent a marginal improvement over the
Secretary's proposal.  Nevertheless, the bill fails to
meaningfully restrict law enforcement access and use and adds a
new element that manages to produce a result even worse that the
Secretary's proposal.


     Section 210 permits disclosures for law enforcement
purposes.  Disclosures pursuant to subpoenas and warrants require
probable cause to believe that the information sought is relevant
to a law enforcement inquiry.  


     But Section 210(a)(3) allows disclosures in response to "a
request otherwise authorized by State or Federal law."  This has
virtually no meaning.  Law enforcement agencies will argue that
they are authorized to request any health record under their
general investigative authority.  A law enforcement officer may
claim that he or she is entitled to enter any hospital and ask
for any patient record.  Section 210(a)(3) authorizes the
hospital to make the disclosure.  No process is required.  There
is no probable cause requirement, no new standard, no new
procedure, or no notice to the patient.


     Section 210(f) includes language excluding from evidence any
information obtained unlawfully.  This is, for the most part,
present law.  However, because the bill makes it so easy to
obtain information without any standards or procedures under


Section 210(a)(3), the exclusion has little effect.


     Further, it does little to protect patients.  Consider a
patient whose physician is the target of a fraud investigation. 
The patient's record is lawfully obtained by the law enforcement
agency.  The record is not excludable under the Jeffords
exclusionary rule.  Anything that a patient tells a physician can
be used against the patient.  The exclusionary rule affords no
real protection to any physician-patient communication.  Because
federal law enforcement agencies have authority to obtain EVERY
health record in the country, every revelation by a patient to a
doctor may be accessed and used against the patient in all
circumstances.


     The worst new law enforcement feature of the Jeffords bill
is found in Section 215.  Law enforcement officers who violate
the law would not be personally liable unless the violation was a
result of intentional conduct committed with the intent to sell,
transfer, or use information for commercial advantage, personal
gain, or malicious harm.  A law enforcement official who
illegally and negligently disclosed health care records would not
be liable.  An investigator who exposed millions of health
records to public view by negligently leaving the records in a
public file on the Internet would not be liable to anyone.  No
other person who obtains health information under the bill would
be immune from responsibility for their conduct.


                   ##########################