Ten Privacy Principals for Health Care My name is Beth Givens. I am the director of the Privacy Rights Clearinghouse, formerly of the Center for Public Interest Law at the University of San Diego, and now associated with the nonprofit consumer organization UCAN, the Utility Consumers' Action Network. We operate a hotline for individuals to call to ask questions and make complaints about informational privacy. And we have developed 22 guides for consumers on ways they can safeguard their privacy, one of which, our medical privacy fact sheet [Fact Sheet No. 8], has been provided to you. The PRC has been in operation for seven years. [www.privacyrights.org] We cover a broad range of privacy issues on the hotline, and medical privacy issues rank in the top ten each year. I will relay just a few types of complaints and questions we get regarding medical records privacy: 1. We got a call from a legislative aide who had been contacted by a very angry constituent. The woman had gone to the hospital to have a baby. She was married to an undercover police officer and told the hospital repeatedly not to release her home address to anyone, but rather to use their PO Box. This was for personal security reasons regarding her husband's work. Just 3 days after she returned home, she began receiving mail at her home address from companies selling baby-related products and services. 2. We got a call from a man who had gone to the hospital for treatment of his prostate cancer. A month later he received a solicitation from a pharmaceutical company regarding a medication they sell to treat prostate cancer. 3. We receive a number of calls from people, many of whom do not wish to identify themselves to us, or even where they're from because of fear of disclosure of their medical conditions to employers and potential insurers. They ask "if I go to the doctor for such and such an ailment, will that information get to my employer"? Or will information be released to the Medical Information Bureau if I get such and such a lab test? The advice we reluctantly give to such callers is that to ensure privacy, they should consider going to another health care provider and pay cash for the treatment, bringing a letter with them requesting that the records for their visit be held in confidence. Overall, I would say that consumers are fearful of the consequences of their medical records getting into the hands of any entity that might prove harmful to them -- their employer, credit bureaus, and insurance companies. In the 4th Century B.C., Hippocrates made this statement about the confidentiality of patient information, and I quote the Hippocratic Oath: Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets. [end of quote] If that were to be rewritten today, it might say: Whatever I see or hear in my attendance on the sick or even apart therefrom will be divulged to physicians, nurses, aides, surgeons, anesthesiologists, dietitians, physical therapists, admitting clerks, billing clerks, utilization review personnel, discharge planners, records coders, medical records filing staff, chaplains, volunteers, performance evaluators, insurers, medical transcriptionists, accrediting agencies, public health officials, other government officials, social workers, and employers. AND to whomever else requests them for whatever reason. [attributed to Dale Miller, Irongate Inc.] This laundry list attests to the complexity of our health system today and to the fact that there is really no such thing as confidentiality of medical information. In fact, informal studies have shown that as many as 80-120 individuals in a health care system such as a large hospital or HMO might have access to a patient's medical records. Health-related information that we share with doctors and others is among the most intimate and sensitive of all personal information. In addition to information about physical health, these records may include information about family relationships, sexual behavior, substance abuse, and private thoughts and feelings related to mental health. Yet, as privacy advocate Evan Hendricks put it, video rental records in this country are afforded more privacy protection under law than are medical records. Information from medical records may influence one's employment and employability, credit worthiness, ability to get health insurance, or the rates paid for coverage. We have heard today of the several trends in the health care industry and larger society that have a bearing on medical records privacy. I will not repeat these. Instead, I wish to stress in my remarks today the importance of developing a set of strong privacy principles to be codified into law. These are often called Fair Information Practices and I will briefly summarize ten such principles. These have not to date been effectively codified into laws regarding medical records privacy. That is the challenge facing policy makers today. First is the principle of openness. And second is the related principles, access. Fortunately, we already have under California law the right of access to our medical records. I would add to this principle, in this era of electronic records, the notion of education -- the importance of health care establishments to notify patients of the right of access and to make such access a normal and expected part of health care. Third, is the principle of accuracy, the ability to easily amend and/or correct medical records. This is especially important in a managed care environment where many different health care providers have access to the records. This is also critical in a data sharing environment, which Connie Roberts [San Diego County] will discuss. There is no such thing as a perfect data base, and errors and misleading information can be compounded when data bases are merged. Fourth, is the principle of limiting collection. And fifth, the related principle of limiting use, disclosure and retention. There is the temptation to collect and disseminate more information than is necessary for the matter at hand, especially in this era of computerized data collection, when computers are getting more powerful at the same time as they are becoming less expensive to operate. We are going to be hearing about data sharing among San Diego County government agencies -- the sharing of information that is very sensitive -- medical records, mental health files, school records, welfare benefits information, even criminal records and probation information. How necessary, aside from the basics of name, address and a few other key pieces of data, is the totality of that data to serve individuals effectively. How will all that data be handled over time? Will files be expunged when no longer needed? And what are the risks of compiling extensive data bases, only to have them accessed for entirely different purposes, including law enforcement and surveillance? That brings me to probably the most powerful and least enacted principle, that of secondary usage. This sixth principle states that information gathered for one purpose shall not be used for other unrelated purposes without the consent of the data subject. The temptation in any compilation of data, especially data as sensitive as that gathered by social service agencies and health care facilities, is to use that data for other purposes. I bring to your attention a San Diego County Supervisors measure approved in April of last year which would enable social services information to be shared with immigration officials -- a classic example of secondary usage. One of the toughest decisions for policy makers to make is to segment that data so as not to alter the original purpose for the data gathering, and not to ultimately, change the focus from true service and betterment of lives to that of surveillance. Another type of secondary usage is marketing. I relayed a case earlier about a patient receiving unwanted and unexpected solicitations from marketers as a result of seeking health care. I"ll pass around this full page ad from a pharmaceutical trade magazine which clearly exemplifies the marketing uses of personal medical records data. [Metromail - "Announcing the world's finest list of who's got what."] A seventh principle is that of informed consent. This is especially critical when data will be compiled from a number of sources and then used for multiple purposes. A foundation of any legislation dealing with medical records, and with social services data sharing, is the requirement of very specific authorization forms. We hear many complaints from consumers calling our hotline who have been asked to sign off on overly broad authorization forms. As I have heard from several individuals, even taking the proactive step of lining out the broad language and replacing it with specific language does not always work. In addition to consenting to specific conditions, release authorization forms also must specify date. Patients should not be asked to sign off on unlimited time frames for release of their medical data or social services data. An eighth principle is security. I am not referring only to the security of computerized systems from hackers, from outsiders who threaten the security and integrity of the data, but also to those within the health care setting. Are there electronic audit trails so access can be tracked? Are especially sensitive records segmented for limited access? Are medical records restricted only to those with a need to know? The ninth principle is compliance. This encompasses meaningful sanctions for privacy abuses. The lack of such sanctions is, I believe, one reason that the cases I relayed in my introduction occurred. If there were stiff fines, even imprisonment, for the unlawful release of personal medical records, there might be more of a "culture of confidentiality" having evolved in the health care industry. The current fine for violation of California's Medical Records Confidentiality Law, Civil Code 56, is a mere $3,000, practically nothing in this day and age. I suspect we'll see bills in the next session to raise that considerably. The tenth and final principal is accountability. The agency or organization is responsible for the personal information under its control and it shall designate a person who is accountable for compliance with the principles. I want to close by discussing the importance of trust in delivering effective health care. It is going to be difficult to instill a high level of trust in consumers until there is adequate protection in law regarding the confidentiality of medical records. Obviously, the vast benefits projected for electronic records systems and data sharing are not going to be forthcoming if patients are not willing to divulge key pieces of information about their physical and mental health.