DPE: Public Policy: Policy Letters and Statements: Oct 7, 2005

Scott Wallace, J.D., M.B.A.
Chairman, Commission on Systemic Interoperability
8600 Rockville Pike
Bldg. 38, Room 2N-05-5
Bethesda, MD 20894

As participating organizations of the Consumer Coalition for Health Privacy (CCHP), we are writing to urge you to support established state health privacy laws in the Commission on Systemic Interoperability’s report to Secretary Leavitt and Congress on a strategy for the development of health care information technology standards. We were alarmed at media reports that the commission is considering a recommendation to override state privacy laws that are stronger than the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.[1] Weakening privacy protections for consumers is not only unnecessary to the development of a National Health Information Network (NHIN), but would undermine the success of the system—which is wholly dependent on the trust and cooperation of patients.

The Consumer Coalition for Health Privacy is a diverse network of patient, disability, and consumer advocacy organizations actively engaged in the national and local debate on health privacy. The mission of the Consumer Coalition for Health Privacy is to educate and empower healthcare consumers to have a prominent and informed voice on health privacy issues at the federal, state, and local levels. Members of the coalition are committed to the development and enactment of public policies and private standards that guarantee the confidentiality of personal health information and promote access to high quality care. A complete list of coalition participants, as well as a variety of resources on health privacy can be found at: www.healthprivacy.org.

A recommendation to void stronger state health privacy laws directly contradicts the spirit of the HIPAA Privacy Rule—which is designed to provide a floor of protection. After decades of debate, Congress mandated the establishment of the Privacy Rule, the first ever federal requirements for securing health privacy in this country. Built into the process was the basic principle that the law would provide a foundation of protection that could be built on. Over and over, the Department of Health and Human Services has reiterated Congress’ intent that the Privacy Rule provide a mandatory baseline of privacy safeguards that can be strengthened at the state level.[2] That states can—and have—established stronger protections for patients is critical to the success of the Privacy Rule. Patients must be able to retain the right to push for and achieve enhanced protections at the state level.

Eliminating stronger state laws is also unnecessary to the development of health information technologies. In fact, the Privacy Rule was promulgated under the HIPAA Administrative Simplification provisions, which call on the development of electronic health information exchange. As an outgrowth of this, the Privacy Rule was specifically designed to protect medical information especially in the context of the increasing use of electronic communication between and among health providers. Whether or not to keep state laws intact has already been answered as a part of a discussion about moving the U.S. health care system towards electronic exchange. Furthermore, many states voluntarily aligned their laws to be more compatible with the Privacy Rule in the wake of the regulation’s implementation, thus creating even more uniformity among states.

Most importantly, the laws in question provide essential protections for individuals in those states. Many of the state laws were crafted to afford heightened protections for certain medical information, such as information related to HIV/AIDS status, genetic testing, and mental health. In addition, some state laws afford patients rights that should be afforded to them under the Privacy Rule, such as the ability to sue for violations.[3]

Weakening safeguards is both unethical and impractical. Such a move would only deepen consumer concerns about health information technology. As a recent Harris Interactive survey showed, 70 percent of Americans are concerned that an electronic medical record (EMR) system would lead to sensitive medical information being exposed because of weak security and 69 percent are concerned that an EMR system would lead to more personal health information being shared without patients’ knowledge.[4] That same survey showed that 47 percent of Americans believe that the privacy risks of an EMR system outweigh any benefits.[5]

Already, our nation’s health care system is undermined because of consumer privacy concerns. Without trust that their personal information is adequately safeguarded, patients withdraw from full participation in their own health care. As captured by a California HealthCare Foundation survey, one out of every six Americans engages in “privacy-protective behaviors” out of fear that their medical information will be used without their knowledge or permission. These behaviors include giving incomplete or inaccurate information to providers, paying out-of-pocket, or avoiding medical care altogether.

We strongly urge you to abandon any recommendation that takes privacy rights away from patients. In fact, instead of disabling protections, there should be a serious effort to bolster and extend established privacy rights. While the HIPAA Privacy Rule serves as a solid foundation for protecting privacy, it does not address many of the issues health information technology raises. For instance, many entities collecting and sharing electronic health information are not covered by the law. In this context, stripping consumers of current safeguards is not just misguided but dangerous, and would undoubtedly have a drastic impact on the extent to which patients are willing to engage in health information technology initiatives.

Our organizations are united by a commitment to ensuring access to quality health care in this country. The evolution of health information technology is promising and could ultimately both improve quality and empower patients to be more active participants in their health care. But, a NHIN cannot succeed without the trust, confidence, and cooperation of patients—who simply will not participate in a system that pushes important privacy and security protections to the wayside.

Health Privacy Project
National Association of People with AIDS (NAPWA)
American Association of People with Disabilities
Georgia Rural Urban Summit
National Consumers League
Consumer Federation of America
AFL-CIO
Association of Women’s Health, Obstetric and Neonatal Nurses (AWHONN)
Genetic Alliance
American Hospice Foundation
Department for Professional Employees, AFL-CIO
Legal Action Center
USAction
American Civil Liberties Union (ACLU)
American Mental Health Counselors Association (AMHCA)
Bazelon Center for Mental Health Law
Families USA
Electronic Privacy Information Center (EPIC)
AIDS Project Los Angeles

[1] Nancy Ferris, “Commission Mulls State Law Overrides,” Government Health IT.

[2] Joy L. Pritts, JD, Georgetown University Health Policy Institute, “Health Care Information Technology: Harmonizing Laws Governing the Confidentiality of Health Care Information,” Testimony before the United States House of Representatives Committee on Ways and Means, Subcommittee on Health, July 27, 2005.

[3] Health Privacy Project, The State of Health Privacy: A Survey of State Health Privacy Statutes, Second Edition, 2002, available at http://www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm.

[4] Harris Interactive Inc., “How the Public Sees Health Records and an EMR Program,” Conducted for Program on Information Technology, Health Records, and Privacy, Center for Social & Legal Research, February 2005.

[5] Ibid.