Testimony of Denise Nagel, MD

TESTIMONY
TO THE
SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY
OF THE
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
BY
DENISE M. NAGEL, MD
FOR
NATIONAL COALITION FOR PATIENT RIGHTS
AMERICAN PSYCHOANALYTIC ASSOCIATION
ASSOCIATION OF AMERICAN PHYSICIANS AND SURGEONS
WASHINGTON, D.C.
FEBRUARY 19,1997

I am Denise Nagel. I am a physician. I was trained at Duke University in pediatrics and then at the Massachusetts General Hospital in Boston in psychiatry. For seventeen years, I have been in clinical practice. Three years ago I co-founded the National Coalition for Patient Rights, an organization whose sole mission is to work to protect and preserve privacy and confidentiality in medical care. I am an instructor at Harvard Medical School. I am testifying for my organization and on behalf of the American Psychoanalytic Association and the Association of American Physicians and Surgeons.

I am pleased to have the opportunity to address you this morning.

Congress directed the Secretary of Health and Human Services, with the advice of this Committee, to make "detailed recommendations on standards with respect to the privacy of individually identifiable health information," in the Health Insurance Portability and Accountability Act of 1996 (HIPA), sec. 264(a). In making those recommendations, the Secretary is required to address at least the following:

"The rights that an individual who is subject of individually identifiable information should have.
The procedures that should be established for the exercise of such rights.
The uses and disclosures of such information that should be authorized or required."
(HIPA,sec.264(b))

The description of the purpose of this Committee, and the description of the issues which the panels have been directed to address, focus almost exclusively on "policies for the use and disclosure of individually-identifiable health information." It is not surprising, therefore, that the testimony to date is devoted, almost exclusively, to the third and last subject the Secretary is required to address--uses and disclosure of identifiable health information. My testimony will focus on the principal issue the Secretary is charged with addressing--the rights of individuals to privacy for identifiable health information and the procedures necessary to preserve those rights.

Congress refers to privacy rights in the Kassebaum-Kennedy Bill for good reason. Patients have a well-established right to privacy grounded in constitutional and statutory law, common law, the Hippocratic oath, the canons of medical ethics and common sense. Unfortunately these rights have not been uniformly enforced. The recently adopted policy on "Patient Privacy and Confidentiality" of The Massachusetts Medical Society, states: that "[w]hile the most aggressive federal prosecutor may not obtain the records of a social worker, an insurance company can demand and receive full access to the most sensitive medical record, and enter it into a databank accessible to thousands of people, without legal constraint." The medical society takes the position that this is wrong and sets out a mechanism that allows insurers to manage care without invading privacy. The medical society policy begins from the principled position that "the patient has a fundamental right to privacy and confidentiality in his/her relationship with a physician." Any "conflict between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient's privacy and confidentiality except where that may result in serious harm to the patient or others." This is the position of the Massachusetts Medical Society-- the publishers of The New England Journal of Medicine--and it is our position.

You have heard distinguished professionals, who have told you that they can't do what they need and want to do if they don't have access to personally identified medical information on every person. However, needs do not confer rights. A person may not meet his needs or satisfy his desires by trampling on the rights of others.

"The purpose of the hearings is to explore...the consequences for patients and institutions of new rules for use and disclosure of health data," read the letter I received inviting me to testify. But I do not think that Americans want new rules permitting use and disclosure of identified health information. What they want is the enforcement of long established privacy principles. They are looking to you to make recommendations that will genuinely protect and enhance individual privacy. They are counting on this subcommittee, the Subcommittee on Privacy and Confidentiality, to make recommendations to the Secretary of Health and Human Service that will enhance personal privacy in their communications with their doctors and other health professionals. Make no mistake about it, people care about confidentiality of their medical records and they are worried. In 1993, during the debates on national health care reform, Louis Harris and Equifax did a poll. Seventy-four percent of physicians believed that increased computerization would weaken confidentiality. Eighty-five percent of the general public placed protecting the confidentiality of people's medical records ahead of providing data for research into diseases and treatments.

The same survey also found that a clear majority of Americans were very concerned about having a national health identification number assigned to each individual. At present most Americans are unaware that this is happening. As the public becomes aware of this provision you can expect a loud outcry.

No one questions that things have already begun to get out of control. The Institute of Medicine noted in a report a few years ago that the roster of parties claiming a need to know what is in the individual medical record was too numerous to list. When I reviewed the latest version of S. 1360, not yet re-introduced, I had a similar impression. It was impossible to make a list of all the accreditation, oversight, public health, research and law enforcement agencies that would have access to patient records without patient consent if this bill were passed. I suspect that no one in this room doubts that Americans have not approved this kind of open access. A 1996 Time/CNN poll found that 87% of Americans believed that "laws should be passed that prohibit health care organizations from giving out medical information without first obtaining the patient's permission." The same percentage of people in a 1993 Louis Harris poll trusted their own providers but most (71%) believed that "if privacy is to be preserved, the use of computers must be sharply restricted in the future." Rules that conform to these views would require consent for placing personal information in a computer system and consent for the disclosure of identified information, except in rare circumstances.

Twenty-five years ago a committee that preceded you, advised the Department of Health, Education, and Welfare, (now the Department of Health and Human Services) in a report titled "Records, Computers, and the Rights of Citizens." In this report they said

"..we believe that in practice, the dangers inherent in establishing a standard universal identifier--without legal and social safeguards against the abuse of automated personal data systems--far outweigh any of its practical benefits. Therefore we take the position that a standard universal identifier should not be established in the United States now or in the foreseeable future."

Given the advances in technology this advice is more valid today than on the day it was written. Thus, the standards "with respect to the privacy of individually identifiable health information" that the Secretary is required by the statute to formulate, should include the following:

A set of basic principles which reflect the historical treatment of the right to privacy under constitutional and statutory law, common law, the Hippocratic oath, the canons of medical ethics, and common sense.
Recognition that patients have the right to privacy for identifiable health information.
That this right to privacy cannot be waived in the absence of meaningful notice and informed consent.
That this right to privacy cannot be overridden in the absence of a waiver except where there is express statutory authority and showing of compelling public need. (e.g. dangerousness to self or others; epidemic control) Statutory and regulatory exceptions should be specific and narrowly defined.
That release of information for a specific purpose, such as insurance payment, should not require a waiver of the right to privacy which is broader than is necessary to process and pay a claim.

I hope that any recommendations from the Secretary will start from these principles.

Quality health care at the lowest cost should be our common goal. We differ principally on how it is best achieved. We believe that quality health care cannot be provided without recognition and protection of the individual's right to privacy. This is the lesson of history reflected in constitutional law and basic principles of the medical profession. Physicians have made it clear that they can not provide accurate diagnoses and treatment unless patients feel free to convey information in confidence. Patients have made it clear that they must trust their physicians to tell them the truth about their illnesses. Sound research will not be possible unless accurate information is provided. Neither research, nor public health, nor quality care will be served by eroding the patient-physician relationship.

The need for outcomes studies is cited as a reason to override the patient's right to confidentiality. Such studies may involve not only the use of patient records without consent, but may require that patients participate in the research by filling out highly intrusive questionnaires, as a condition of their treatment. Many researchers, statisticians, and others question the value of this type of research. But Dr. Jay Katz, a physician and law professor at Yale Law School raises another issue in a recent in a recent article in the Journal of the American Medical Association. He asks: "Should communitarian values, in this instance rapid progress in medical science, trump the value of respect for individual autonomy?" He hopes not and his reasons draw on a surprising source. He refers to the Nuremberg Code and suggests that if there are to be changes in the fundamental premise of patient consent for research and advancing public goals, that such modifications be considered in light of the Nuremberg legacy.

The first principle of the Code is that "the voluntary consent of the human subject is absolutely essential." It goes on to say that "the person...should be able to exercise free power of choice, without the intervention of any element of force...or coercion." Senator Glenn has recently introduced S. 193, The Human Research Subject Protection Act of 1997. When he introduced the bill, Senator Glenn gave some examples of research done without patient consent. He said that many people would laugh at the very notion that research without patient consent could occur in this country. But it is happening and it is a threat to the constitutional guarantees of individual liberty.

I want to address as my final topic the issue of electronic claims processing as a means of cutting of administrative costs and the answer to fraud control. I want to refer you to the recent work of Malcolm Sparrow, License to Steal: Why Fraud Plagues America's Health Care System (Westview Press, September 1996) He cites a senior fraud investigator at a Medicaid Fraud Control Unit.

"With EDI [electronic data interchange], thieves get to steal megabucks at the speed of light and we get to chase after them with a horse and buggy. No rational businessman would ever invent a system like this."

Another representative of the insurance industry, on the guarantee of anonymity, stated that "administrative cost savings [with EDI] will in no way compensate for the tide of fraudulent claims they expect to wash over the system." He says much more about the Electronic Data Interchange and solidly rejects it as a cost savings device through administrative simplification and fraud control. Mr. Sparrow makes it clear that while he expects that automation of claims management to save $8-10 billion a year in administration costs, these savings could be more than offset by increased larceny. The Washington Post says: "The book's most alarming chapter is devoted to the implementation of electronic claims submission to replace on-paper transactions, which is expected to be complete by the turn of the century."

The organizations that I represent do not have all the answers, but we have a principled approach grounded in the legal, ethical and medical history of our country. We urge that the Secretary's recommendations build on that history rather than conflict with it.

Additional remarks following the testimony on February 19, 1997.

Mr. Gellman questioned whether identifiable medical records are confidential currently since there are laws, such as antifraud and abuse laws, accreditation laws and others, that either authorize or require disclosure of identifiable medical information without the patient's consent. Mr. Gellman further shared the information with the panel that he knew from personal experience that many of these laws (including some provisions of the Health Insurance Portability and Accountability Act, "HIPA") have slipped through Congress with little debate or attention.

Mr. Gellman's statement illustrates the purpose and importance of this Committee's recommendations. Congress directed the Secretary to present to Congress "detailed recommendations on standards with respect to the privacy of individually identifiable health information" precisely because there has been little consideration of coherent privacy standards in laws such as those referenced by Mr. Gellman. HIPA sec. 264(a)(emphasis supplied). As Mr. Gellman noted, those laws were developed principally to achieve other specific purposes and were adopted without significant consideration to their impact on privacy.

Congress commissioned this Committee of experts to assist in determining what the standards with respect to privacy should be--not to simply codify the abuses or breaches of the right to privacy which might have slipped through in other laws. This Committee would stand its purpose on its head if it were to feel compelled to conform privacy standards to the welter of laws that have been adopted without consideration of the need to protect the privacy of identifiable health information.

Ironically, the provisions of HIPA establish a virtually unqualified right to medical privacy--for "PROTECTION OF TRADE SECRETS" Section 262(a) at sec. 1172(e). That provision states that, "a standard adopted under this part shall not require disclosure of trade secrets or confidential commercial information..." Privacy standards recommended by this Committee should confer no less protection for individually identifiable health information. Otherwise, the rights of commercial entities to privacy would be elevated above the rights of individuals.

Mr. Gellman made the statement that there is no evidence that the loss of medical privacy has jeopardized the quality of health care. With all due respect to Mr. Gellman, this opinion is not shared by the CLINICIANS addressing this committee as reflected in the testimony of the American Medical Association, the American Psychiatric Association, the Association of American Physicians and Surgeons, the American Psychoanalytic Association, and the American Association of Occupational Health Nurses. Clinical experience leads to the conclusion that privacy is essential to providing quality medical services and quality health care suffers in its absence. Unless the right is recognized and protected, it will cease to exist and the quality of health services will decline. In fact, in a recent Supreme Court decision, Jaffe v. Redman, the Court noted that the Judicial Conference Advisory Committee had reported to Congress in 1972 that a psychiatrist's ability to help his or her patients

"is completely dependent upon [the patients'] willingness and ability to talk freely. This makes it difficult if not impossible for [a psychiatrist] to function without being able to assure...patients of confidentiality and; indeed, privileged communication....[T]here is wide agreement that confidentiality is a sine qua non for successful psychiatric treatment."

In addition, the Court noted that protecting the privacy of patient/therapist communications served not only an important private interest but also served the public interest "by facilitating the provision of appropriate treatment for individuals suffering the effects of a mental or emotional problem." 116 S.Ct. at 1929. You have heard from surgeons and internists that the same is true for their specialties. The need to protect, preserve and in some instances restore, the right to medical privacy in order to preserve quality medical care could hardly be more widely recognized.

This Committee has the opportunity to enhance the quality of health care by recommending privacy standards which are consistent with the right to privacy recognized under the Constitution, statutory law, and hundreds of years of medical ethics. Alternatively, this Committee can perpetuate the current chaotic conditions that are eroding the essential bond of trust between the patient and the treating physician. We ask the Committee to advance the cause of quality health care, not retard it.