@INFO.POLICY

Protecting health data is a privacy quandary

Robert Gellman

Perhaps the longest-running privacy policy debate in Washington is over health records.

Health privacy has been a legislation issue off and on since 1979. Many bills have been proposed over the years, and health privacy has been on the congressional agenda continuously for most of the past decade.'There's precious little to show for all that effort.

Health privacy has many implications for federal program managers and computer specialists. If the policy folks can ever figure out what to do, the programmers, systems analysts and other computer types will have to handle much of the implementation.

In Congress' court

The only legislation enacted that came close to establishing a privacy policy for health records was the Health Insurance Accountability and Portability Act in 1996. Not actually a privacy bill, HIPAA set a deadline of last August for more specific legislation. If Congress failed to enact a law by then, HIPAA authorized the secretary of the Health and Human Services Department to write privacy rules for electronic health care records. That deadline came and went without congressional action.

The principal reason Congress cannot pass a bill is lack of consensus. Everybody agrees that privacy is important to the health care system, and everybody agrees that we need federal legislation. But there is no agreement on any other aspect of this exceedingly complex issue.

On one end are privacy extremists who want to veto maintaining information in any computer system'an unrealistic goal.

On the other end are health plans and insurers that want to exploit patient information for marketing without patient approval. That ought to be illegal.

Government also has extremists. The Justice Department wants to collect patient records from physicians and health plans for fraud and abuse detection, and then prosecute patients using information they shared with their physicians.

That, too, is outrageous. Doctors may have to start issuing Miranda warnings if what patients say can be used against them.

I find it chilling that the attorney general has the authority to subpoena every health record in the United States. Even paying cash for health care may not keep your records from the clutches of Justice.

Considering these diverse points of view, you now understand why 20 years of attempts at passing health records privacy legislation have failed.

Meanwhile, HHS has dutifully followed congressional direction. The department issued a monumental set of proposed regulations in November. The comment period, originally scheduled to end Jan. 3, was extended to Feb. 17.

The regulations are aimed at electronic health records maintained by both private and public entities. Federal agencies would have to comply just like any other health record-keeper, but there are some uniquely federal aspects.

One disturbing proposal would allow military command authorities to have broad access to health records of all armed forces personnel. Similarly, the State Department could seek health information about Foreign Service members and their families without consent. HHS might have better addressed unique governmental interests if it had provided better and more balanced basic standards and procedures.

Perhaps the most difficult-to-swallow aspect of the rules is their scope. Just about any electronic health information held by an employer would fall under the rules. Every agency would have to look carefully at computer systems to see if any information qualified. Don't assume that any system would be exempt.

Taken to extremes

Consider a system supporting travel by federal workers. If a travel voucher indicated a person's preference for a low-salt airline meal, it could be subject to the health privacy rules. A personnel system that tracks medical leave might also fall under the regulation because frequent doctor visits reveal the likelihood of serious illness. Virtually any government computer with personal information might contain something qualifying as health information, rendering it subject to the new rules.

The privacy rules are scheduled to take effect two years after they are promulgated. The earliest effective date is mid-2002. Given the federal budget cycle, it is not too early to start taking inventory of federal systems that may need modifications to meet these privacy requirements.

This will give you something to do now that 2000 repair is over.

Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above