Good morning. My name is Lauren Dame, and I am the staff attorney at Public Citizen's Health Research Group. Public Citizen's Health Research Group is a non-profit organization that was founded in 1971 by Ralph Nader and Dr. Sidney Wolfe, the current Director, to fight for the public's health, and to give consumers more control over decisions that affect their health. In my day-to-day work as staff attorney, I receive calls from consumers who are having problems navigating our current health care system: consumers who cannot get health insurance, consumers who are battling with their insurance companies or HMOs over coverage, and consumers who feel that the present system is out of control and heading in a direction over which they have little say. As medical records are computerized and there is increased disclosure of sensitive medical information -- as we believe there will be -- many of the problems consumers face today will be exacerbated unless strong privacy protections are included in any regulations developed pursuant to the Health Insurance Portability and Accountability Act.
I am happy to be here today to have the opportunity to discuss some of these privacy considerations in the use of medical records. I will use the brief time available to me to suggest some basic points that I hope you will keep in mind as you prepare your recommendations for the Secretary of Health and Human Services.
First, any regulations that come out of this process should take into account the flaws of our existing health care system. We do not have universal health care, nor guaranteed health insurance coverage. Instead, we have a system where profit-making companies can, by and large, pick whom to insure, and how much to charge, leaving more than 40 million Americans with no health insurance at all, and another 29 million with inadequate insurance.
We have a system where a growing number of employers are becoming "self-insured", and thus have a direct link to their employees' medical records -- a link that can be used for illegitimate as well as legitimate purposes, with few privacy restrictions.
We have a system where more and more patients are being enrolled in "managed care" organizations, leading to an increased ability for these organizations to collect personal medical information, and increased pressure to use that information in a variety of ways.
We have a system where advances in technology are resulting in the presence of sensitive genetic information in medical records -- information which may not only provide insight into a patient's current health, but may reveal possible future health concerns.
In a system with these characteristics, disclosure of medical information can have devastating consequences for individuals, leading to loss of insurance, financial problems, and loss of jobs.
In addition, privacy for medical information is an important value in and of itself. People feel very strongly that they should have control over the dissemination of what amounts to highly intimate and private information about themselves.
Second, we believe that any effort to regulate the use and development of computerized patient medical records should begin with the proposition that medical records are created for the benefit of the patient, and all other uses are secondary. This does not mean that there are not important and legitimate other uses of medical records, but the presumption should be against disclosure, and there should be a heavy burden of persuasion placed on those who argue for access to patient information. A corollary to this is the principle that personally identifiable patient information should not be disclosed without the informed consent of the patient. (And, by "informed consent", I do not mean the kinds of blanket consent or release forms patients currently are forced to sign in order to obtain health insurance, which basically give the insurers the right to collect any medical information they want, and to do with it what they will.)
Third, as regulations are developed to computerize medical records and to facilitate the exchange of data, the needs of patients for information and disclosure should be taken into account as well as the needs of other parties. The new technology could be used to provide patients with better information about their health care. Further, all patients should have the right to obtain copies of their records, and to correct any errors in them. Currently just over half of the states have laws requiring the release of medical records to patients -- as records are computerized and more easily and widely disseminated, it is even more important that patients have an opportunity to learn what is in them.
Today you are hearing from the "privacy advocates". Earlier, you have heard from insurers, providers, and processors of data, and no doubt most of them have painted glowing pictures of the great increases in efficiency and cost savings associated with computerizing medical records and with limiting privacy protections. While in some areas, the interests of all of us might be accommodated, often you will be faced with some hard choices.
In making your recommendations to the Secretary, I urge you to err on the side of protecting the privacy and confidentiality of personally-identifiable medical information. As a society, we can always modify regulations to increase data exchange if experience shows us that we can safely do so. But privacy, once lost, cannot be recaptured.