The Assault on Freedom, Federalism, and Privacy
The "right to privacy" is oft on the lips of federal lawmakers. They usually mean abortion, but most other people mean something more basic protection against snooping.
There always have been busybody neighbors, dumpster-diving thieves, and intrusive journalists, but protecting personal privacy has become even more important in the computer age. Threats come from all quarters. The most obvious known dangers result from crooks who go "phishing" for personal financial information online or who break into personal computers or corporate intranet systems. However, sometimes the gravest threat to privacy and our liberties comes not from thieves but from government officials who claimed that their "need to know" trumps the individual right to be left alone.
Few issues are more sensitive to most people than their health. For many reasons, ranging from fear of embarrassing disclosures to determination not to unsettle loved ones, patients desire to keep their medical information private.
While the development of electronic medical record-keeping has been a boon in many ways, electronic data, especially online, is easily shared and vulnerable to abuse by the curious and the malicious alike. Medical data is especially problematic. There is rarely a valid reason for banks to transmit account details to other companies or the government; however, medical treatment routinely crosses the boundaries of professional offices. With electronic data, not only can more people see your medical information, but more people believe they must see it.
Most Americans recognize the danger. According to a recent survey conducted by Forrester Research for the California HealthCare Foundation, two-thirds of respondents were concerned about the confidentiality of their medical records; nearly three- fourths of minorities were worried. Roughly one person in four cited at least one incident in which they believed their privacy had been compromised. More than seven in ten worried that electronic record-keeping made unauthorized access more likely.
Strong legal protections are needed for medical privacy. Moreover, patients must be able to contract privately with their physicians to protect their privacy independent of or in conjunction with state privacy laws. This means that patients must be in control of the dissemination of their health information. They must be allowed to decide who gets to see what data, and when. Fortunately, despite the federal government's assault on medical privacy, many states have enacted patients' rights into law. Even when medical offices press for patient approval of the transfer of information (as demanded by insurers, for instance), the overall presumption should be shifted to nondisclosure unless otherwise specified by the patient or legal guardian.
Beyond repealing the HIPAA "Privacy Rule" really a disclosure rule, Congress must be prevented from further nationalizing the laws governing medical information privacy in the name of encouraging electronic data transmission.
Although online information-sharing can yield undoubted benefits, some medical offices have been slow to automate this aspect of their practices. But such behavior does not represent a crisis requiring federal intervention. Actually, this behavior is in many cases a response to previous federal interventions via the HIPAA Privacy Rule. Many doctors have decided not to go electronic, in order to protect medical privacy as well as they can.
A National Infrastructure: H.R. 4157
Congress and the President are now threatening to unsettle further the delicate balance between protection of and access to patient information, which is already weighted against protection and toward non-consensual disclosure. About two years ago, President George W. Bush issued an executive order creating the National Health Information Technology Coordinator. This person's work, intoned the President, "shall be consistent with a vision of developing a nationwide interoperable health information technology infrastructure."
The expressed goals are reasonable enough: better medical care, lower costs, improved coordination, and greater competition. All the while, the system is to ensure "that patients' individually identifiable health information is secure and protected." However, any national effort at standardization risks undermining state laws, which have offered the only legal protection for patient privacy. Luckily, the impact of this effort has been limited. Without new legislative authority, there is little that a federal "coordinator" can do.
Of much greater concern are congressional proposals to give federal officials such authority. For instance, H.R. 4157, the Health Information Technology Promotion Act of 2005, uses the language of patient confidentiality. But it would simultaneously lead toward the creation of a national medical database while weakening patient control over information disclosure.
Establishing a national system is the key goal. Rep. Nancy Johnson (R-CT) explained: "This legislation will make sure the national health IT coordinator's post is a permanent one, and it will overcome some of the key obstacles that have slowed our progress toward adoption of a national, interoperable electronic system."
H.R. 4157 establishes a permanent bureaucracy, an Office of the National Coordinator for Health Information Technology. This is the statutory authority lacking in the President's executive order. History suggests that such an office, once established, will never be eliminated. The National Coordinator in turn is to create "a nationwide interoperable health information technology infrastructure." But that's not all. The legislation continues: "The National Coordinator shall maintain, direct, and oversee the continuous improvement of a strategic plan to guide the nationwide implementation of interoperable health information technology in both the public and private health care systems." Indeed, building a federalized information infrastructure will not be limited to the Department of Health and Human Services. Rather, the National Coordinator is to coordinate HHS programs "with those of relevant executive branch agencies and departments...to create a national interoperable health information system."
Additionally, the legislation would attempt to coopt private entities, establishing a public-private partnership: HHS, "in consultation with entities involved in the area of health information technology, shall develop a strategic plan related to the need for coordination in such area."
The necessity for such a system is not obvious. A nationwide system can develop informally and spontaneously, as essentially has been happening since the development of the computer. Thousands of medical professionals across America already are adjusting their medical records and practices in their own way and at their own pace. And most doctors, labs, and hospital already cooperate effectively to share information in treating patients.
While the evolution of the market has been a bit confusing and complicated, it has enhanced the freedom of patients and physicians alike and allowed all participants to learn from their mistakes. Federal officials who believe that they can "do better" ignore the routine inefficiency and failure that follows attempts to short-circuit market experimentation through centralized government control.
Attempting to force the health information process into a national mold at a speed desired by Congress risks several adverse consequences.
First, information could more easily be accessed by unauthorized people and, thanks to the Privacy Rule under HIPAA, the list of authorized persons is quite long and disturbing. Most of us shudder when we read of thousands of credit card accounts made vulnerable by a single electronic bank break-in. Federalizing the medical information process could make millions of Americans vulnerable to systematic misuse of "a nationwide interoperable health information technology infrastructure."
Second, this system would encourage creation of a national medical ID number or card. The intent might be for good rather than for ill, but that's how restrictions on liberty almost always are first advanced. Such a system might yield greater efficiency, even though the preliminary data suggests otherwise, but would jeopardize freedom from government snooping. Individual medical professionals and offices might abuse their positions, but only the federal government can put us all at risk.
Third, national information standards could ultimately transform patient care and interfere with treatment decisions. For instance, H.R. 4157 explains that the new infrastructure is to advance delivery of "appropriate, evidence- based health care services" and reduce "inappropriate care."
How will "appropriate care" be defined? An activist bureaucracy determined to change medical outcomes could use its power over medical information to promote or even mandate certain treatment practices and outcomes.
This is hardly an ivory-tower concern. In many cases Americans are governed more directly through rules issued by federal agencies than through laws enacted by Congress. And in more than a few areas those rules have moved far beyond the original intent of the authorizing legislation.
That federal officials have a multifaceted health agenda has long been obvious: the campaign against smoking is long developed, while that against obesity is just beginning. Nagging about nutrition and exercise now is commonplace. However well- intentioned such efforts might be, Americans should be wary before they allow government to put the force of law behind similar initiatives. People concerned about their privacy should not allow their legislators to make broad grants of authority to any bureaucracy in any area, especially one as important as their own medical care.
Finally, passage of H.R. 4157 would breach the final privacy redoubt for many Americans: protective state rules. The proposed bill could preempt any state law "for use in the electronic creation, maintenance, or exchange of health information." In some policy areas Congress sets a minimum standard, but allows states to make more protective standards. Not here, for medical privacy, however. The legislation gives a nod to confidentiality and privacy concerns, calling for a study of state and federal laws governing information disclosures. But the bill emphasizes "the need for timely and efficient exchanges of health information to improve quality of care and ensure the availability of health information necessary to make medical decisions at the location in which the medical care involved is provided."
Since those exchanges now routinely occur naturally and without federal interference, one wonders at the real agenda behind H.R. 4157. Many medical operations have been lobbying for years to weaken (or even eliminate) state rules governing patient consent for the release of medical records. This legislation looks like yet another assault on privacy.
How to Protect Freedom and Privacy
Opposing H.R. 4157 doesn't mean opposing information sharing in principle or even federal efforts to eliminate barriers to private coordination. But any "national infrastructure" should meet three basic conditions:
1. It should be market-based. That is, developments should reflect natural trends among patients and professionals. Rather than attempting to impose any particular system, a federal "coordinator" would advise public officials on policy reforms needed to eliminate unnecessary legal or regulatory restrictions on improved information-sharing, support and promote medical ethics, and truly protect medical privacy. This should include repealing the privacy rule under HIPAA and removing any and all barriers to private contracting to control disclosures.
2. It should respect rather than override state privacy protection laws. Ultimately, the decision on sharing medical records should rest with the patient. States may properly choose somewhat different levels of protection and enforcement. There is no justification for the national government to eliminate such differences, especially by reducing privacy guarantees.
3. It should rely on "opt in" rather than "opt out" or especially "no choice." That is, patients, doctors, nurses, and others should be left to decide whether or not to cooperate with federal efforts. The benefit of uniformity does not override the importance of liberty. Many people will be naturally reluctant to risk their medical privacy even when national officials appear to be well-intentioned and national efforts look well-designed. But respecting such suspicions is the essence of a free society. Public officials always have seemingly "good" reasons for violating people's liberty. Attempts to override patient privacy rights are no different.
If the right to privacy means anything, it should ensure that Americans control access to their health information. The benefits of computerizing and sharing information are real. But so are people's fears that simplified access to those newly convenient records will be abused. Congress will fail in its most basic duty to protect people's personal liberties if it approves H.R. 4157.
Michael D. Ostrolenk is a member of the AAPS government affairs team in Washington, D.C.
