Eileen Hansen
Public Policy Director
AIDS Legal Referral Panel (ALRP)
582 Market Street, Suite 912
San Francisco, CA 94104
415
291-5472 tel
415 291-5833 fax
Thank you for the opportunity to speak to you today on the critical issue of privacy and confidentiality concerns with regard to the implementation of Administrative Simplification provisions of P.L.104-191. On behalf of the AIDS Legal Referral Panel of the San Francisco Bay Area (ALRP), it is my pleasure to offer testimony on subjects that have long been a component of the work of the AIDS Legal Referral Panel.
The AIDS Legal Referral Panel, founded in 1983, has provided comprehensive free and low-cost legal services to nearly 30,000 people with HIV/AIDS in San Francisco and the surrounding Bay Area counties. Serving nearly 3,000 people per year, we address many individual concerns related to health care reform, confidentiality, reporting and discrimination. Our public policy department was established in 1991, in part because of the need to address these same issues. Through our federal, state and local policy work, we endeavor to protect and advance the civil rights of all people with HIV Ä with particular attention paid to the impact of HIV on those most disenfranchised.
The core idea of confidentiality has a long history within the medical profession, although it has only more recently emerged into the domain of legal rights and interests. The fundamental concept of medical information confidentiality dates back at least as far as the Hippocratic Oath, written in the fourth century B.C. Its basic command "that medical information about a patient not be disclosed beyond those who need to know for the purposes of the patient's medical care or those whom the patient chooses to inform" is echoed in contemporary medical ethics, statutory protections, the common law and constitutional law. The developing sense that medical information is, at least to a significant extent, properly within the private control of a patient is closely linked to the emergence of the concept of "privacy" as a morally valued, politically accepted and legally protected area of constitutional rights.
It is generally acknowledged that the patient has a profound interest in determining 1) who has access to; and 2) who has control of medical information about herself. This interest translates into a certain measure of control over who or what has information access. For example, the patient's physician generally has no authority to disclose information about the patient absent the patient's specific authorization. Similarly, the state, if it collects any individually identifiable medical information under statutory authority, generally cannot distribute that information beyond places or persons specifically authorized in the relevant statute. When the information involved has public health implications beyond the individual patient, the weight given confidentiality is counterbalanced by the potential harm to others. Because HIV/AIDS has obvious public health dimensions, the confidentiality of HIV-related information has been scrutinized and debated since the beginning of the epidemic.
Because people with HIV/AIDS have long been victimized not only by the ravages of the disease itself, but also by the attendant stigma, prejudice, discrimination and public fear associated with HIV/AIDS, the issue of confidentiality has also been addressed within the critical context of civil liberties. Thus, an emphasis on protecting the confidentiality of HIV-related information, especially the names of affected individuals, has been an important focus of addressing the epidemic within the context of protecting both public health and individual privacy.
Those most affected by the HIV epidemic are, still, disproportionately members of socially stigmatized groups with a well-developed mistrust of government intentions toward them. The epidemic initially was recognized among gay men, and men who have sex with men continue to constitute a majority of U.S. AIDS cases. Long accustomed to officially sanctioned and practiced discrimination on the basis of their sexual orientation, gay men and lesbians have been profoundly suspicious of the government's interest in obtaining their names and HIV-related medical information. Other groups disproportionately affected by AIDS have, for varying reasons, also been wary of government designs. Injection drug users' risk-defining behavior is itself criminal, automatically making injection drug users mistrustful of the collection of information on them. People of color - especially African Americans Ä have also been marginalized historically, less linked to the formal health care system, and trained by long experience to be leery of government intentions. For example, it took until 1997 for an apology to be provided regarding the U.S.- funded Tuskegee Syphilis Study on African American men that was, appallingly, not stopped until 1972. For many women, who comprise an increasing percentage (now 20%) of HIV-infected people, mistrust has been increased by fears that their HIV status could jeopardize their custody of children. We have seen this legitimate concern most recently raised in the context of pregnant women being coerced under the threat of prosecution or eventual loss of custody to take medical treatments that, while toxic and untested for long-term effects, could reduce the potential for HIV transmission to their fetus.
Breaches of confidentiality have occurred in many contexts, including the medical setting. The most recent example is that of the nation's worst violation of confidential HIV information in Pinellas County, Florida, where 4,000 names from an AIDS surveillance database were leaked to two newspapers in September of 1996. Florida prosecutors have since filed criminal charges against a public health worker who tracked AIDS cases and who used classified information for personal benefit (he checked a computer database of AIDS cases to search for the names of men he planned to date) and against his former business partner who was identified as the person who anonymously mailed disks containing the database to the newspapers. Currently, Florida officials are also investigating unrelated allegations that a clerk in a welfare office tapped into the state's computer network to discover the confidential health records of an acquaintance and leaked information that could imply that the person has AIDS. The clerk, whose job is to determine whether an applicant is eligible for benefits such as Medicaid and food stamps, reportedly found the acquaintance's t-cell count while using the Florida System, a network of computers that contains the files of more than a million Florida residents and is seen by thousands of state employees. A t-cell count is a measure of the body's immune response, and is an indicator of the health of a person with AIDS. Officials said the clerk apparently led others to believe that the acquaintance had AIDS. The response of the Florida Department of Children and Families to this outrageous incident was merely that the information should not have been on the computer system.
People with HIV have lost their jobs, their homes, the support of their communities, their friends and their families, and their insurance upon inappropriate disclosure of their HIV status. The health care system has itself been used to discriminate against people with HIV with some doctors, dentists and hospitals refusing to treat HIV-infected individuals or disclosing medical information.
As health information systems are increasingly utilizing electronic technologies, the issues of privacy and nondiscrimination are also increasingly important. Electronic data collection and electronic transfer of information must not be done without the strongest possible privacy protections in place.
It is imperative that any attempt at implementing Administrative Simplification maintain the strictest possible privacy safeguards on the personal health information of people with HIV/AIDS and, in fact, all people in this country. The AIDS Legal Referral Panel remains concerned that the Health Insurance Portability and Accountability Act of 1996 seriously threatens patient confidentiality. While the Secretary of HHS would be required to adopt standards related to electronic transactions, data elements of health information, security and privacy, the legislative purposes of the standards do not sufficiently emphasize patient privacy. The Act specifies that the standard adopted must reduce the administrative cost of providing and paying for health care. Clearly, this is the emphasis of Administrative Simplification. Privacy concerns are secondary, at best.
Additionally, we agree with the concerns of the AIDS Action Council (Washington, DC) that the development of privacy standards will come long after the electronic health information network has begun operating and will, therefore, be meaningless to ensuring the confidentiality of medical records. Electronic medical records must be made more secure than paper records, but we agree with the National Research Council (March 5, 1997 panel) that strong incentives do not currently exist on the part of the health care industry to ensure this. In representing consumers with HIV, we would disagree with the panel, however, that consumers are not concerned about this issue. We believe that consumers are becoming more informed, and as they more fully grasp what is at stake regarding their privacy, they will more widely make their concerns known.
We would agree with the panel that the use of a patient identifier must be weighed against patient privacy and must be backed by policies that define improper access and specify sanctions against abusers. We would assert that the language of those policies and sanctions must be extreme and absolute. Confidentiality of sensitive medical information such as HIV must be protected. Unnecessary disclosure of confidential medical record information that includes HIV status, mental health status, substance use, sensitive medical procedures such as abortion, sexual orientation or behavior and gender identity must not be allowed. The use of a carefully constructed, appropriate unique identifier system both for gaining access to the information system as well as for identification of a personal medical file must be carefully assessed. The historical significance of the right of consent for patients must be honored and understood within this context. As noted by Paul D. Clayton, the panel's chairperson and a medical information specialist at Columbia Presbyterian Medical Center in New York, "we have already seen, for example, how the Social Security number's widespread use in motor vehicle licensing, employment, banking and medical records can be used to collect information on specific individuals."
Importantly, state authority to provide privacy protection in the area of individually identifiable health information is retained in the Act, and we would assert that any future federal legislation in this area must not preempt stronger state laws. Ultimately, a comprehensive federal privacy statute must be created to fully protect the privacy of all personally identifiable health information. Meanwhile, in implementing the Administrative Simplification provisions of P.L.104-191, the privacy needs and discrimination-related concerns of people with HIV/AIDS, and others with stigmatized conditions, must be heeded. These concerns are based in fact and experience and the Health Insurance Portability and Accountability Act of 1996 must not be used to further erode the civil liberties of people with HIV/AIDS Ä and others Ä and must not be used to create an electronic nightmare of indiscriminate and insensitive medical information disclosure.
The AIDS Legal Referral Panel offers our willingness to work with the National Committee on Vital and Health Statistics in the furtherance of these goals.
Thank you.