Coalition for Patient Privacy
October 18, 2007
Member of Congress
1502 Longworth House Office Building
Washington, DC 20515-1101
Dear Rep. Abercrombie:
Three fourths of the American public want Congress to ensure that our right to health privacy is protected in electronic systems and that electronic health databases and systems are truly secure . Americans have no Federal statutory right to health privacy today.
Despite the good intentions of the Health Insurance Portability and Accountability Act (HIPAA) and its “Privacy Rule”, the current regulations leave all Americans’ personal health information completely vulnerable and exposed. State laws, common laws and the Constitution are there for protection. Yet the HIPAA “Privacy Rule” is really a “Disclosure Rule” that authorizes more than 4 million entities to use and disclose an individual’s health information. This disclosure is without the individual’s consent and over their objections.
We, the undersigned organizations, urge Congress to establish basic privacy protections this year.
Setting national privacy standards is a job for Congress, not unelected agency appointees, who for the most part represent industry. An overwhelming majority of American consumers (86%) are somewhat or very concerned about the health industry’s ability to protect the privacy of personal health information in deploying Electronic Health Records (EHRs).
It is imperative to the millions of members of our organizations that NO health IT legislation pass without enforceable basic health privacy rights for all consumers. Alternatively, Congress should pass a comprehensive health privacy bill that ensures consumers the right to control disclosure of their personal health information before passing any Health IT bills. Senator Leahy’s Health Information Privacy and Security Act (HIPSA), S. 1814, is a good example of what is needed to protect our privacy.
The private sector, communities, states and federal agencies are racing to build EHR systems without adequate privacy protections. Congress has fallen far behind in protecting Americans’ right to health privacy. We hear about violations and abuses of privacy and of records almost weekly. Current laws do not adequately protect electronic health records, leaving the marketplace for “personal health records” and other products the “gold rush” of Health IT. Companies can now do virtually whatever they want with this sensitive information once consumers provide their information, including selling it in secondary markets. No American should be forced to have his or her information entered into this system.
Meanwhile, the President and federal agencies continue to push EHRs via Executive Orders and regulations that ignore what consumers want and Congress intended when it authorized HIPAA.
The reality is that Americans’ personal health information currently is accessed and used without first obtaining informed consent. “Informed consent” means that the person whose health is affected must know and understand the risks involved in disclosing the information. “Secondary” uses of our health records, which have nothing to do with improving our health, have become the primary uses of our health records. Researchers are using our most intimate information without informed consent and without requiring state-of-the-art security measures. These trends are unwelcome and dangerous. It is denying Americans opportunities; these practices must be stopped.
“Garbage In, Garbage Out.”
Without Congressional input or oversight, a national electronic health system will be built that will destroy privacy, and more importantly Americans’ trust in their health care system.
While many argue that electronic health records can help improve efficiency, lead to research breakthroughs, and lower the costs of health care, these outcomes are only remotely possible if and when informed consent is required for all uses. When patients do not trust doctors or the health care system to protect their privacy, they withhold information, they delay or avoid care, and they become sicker.
One in 8 Americans admit to putting their health at risk by engaging in privacy-protective behavior such as:
- Avoiding their regular doctor
- Asking a doctor to alter a diagnosis
- Paying privately for a test
- Avoiding tests altogether
Without control and trust, patients will not see physicians or use the health care system in an effective manner. Wary health care consumers will drive up costs and increase the danger to others. Further, the data collected and stored will be incomplete and filled with inaccuracies and omissions. Corrupted, incomplete and false data will not enhance or improve medical outcomes or research – it will make them exponentially worse.
The proper balance to ensure timely access to medical records for treatment, and preserve patient control of health records, is to allow access in emergencies if consent cannot be obtained. But require patient permission before records are disclosed in all other situations.
We urge you to build a foundation for heath IT that is based on the following privacy principles and protections:
- Recognize that patients have the right to health privacy
- Recognize that user interfaces must be accessible so that health consumers with disabilities can individually manage their health records to ensure their medical privacy.
- The right to health privacy applies to all health information regardless of the source, the form it is in, or who handles it
- Give patients the right to opt-in and opt-out of electronic systems; i.e. the right for patients to give or withhold their consent for the use and disclosure of their health information.
- Give patients the right to segment sensitive information
- Give patients control over who can access their electronic health records
- Health information disclosed for one purpose may not be used for another purpose before informed consent has been obtained
- Require audit trails of every disclosure of patient information
- Require that patients be notified promptly of suspected or actual privacy breaches
- Ensure that consumers cannot be compelled to share health information to obtain employment, insurance, credit, or admission to schools, unless required by statute
- Deny employers access to employees’ health records before informed consent has been obtained
- Preserve stronger privacy protections in state laws
- No secret health databases. Consumers need a clean slate. Require all existing holders of health information to disclose if they hold a patient’s health information
- Provide meaningful penalties and enforcement mechanisms for privacy violations detected by patients, advocates, and government regulators
In summary, most Americans are “highly concerned” about the privacy of their health information. Without ironclad health privacy protections, a nationwide interoperable health system will fail. Americans simply will NOT trust doctors or the health care system if they do not control access to their most intimate personal information.
We urge you to take pro-active steps to safeguard our health privacy and ensure our loved ones are not wrongfully denied opportunities because of an illness or genetic risk of disease. We look forward to working with you and your staff on this urgent problem.
The Coalition for Patient Privacy
AIDS Action www.aidsaction.org
American Association of People with Disabilities www.aapd.org
American Association of Practicing Psychiatrists
American Chiropractic Association www.acatoday.org
American Civil Liberties Union www.aclu.org
American Conservative Union www.conservative.org
American Psychoanalytic Association www.apsa.org
Association of American Physicians and Surgeons
Bazelon Center for Mental Health Law www.bazelon.org
Bob Barr (former Congressman R-GA)
Citizens for Health www.citizens.org
Citizen Outreach Project
Clinical Social Work Association www.cswf.org
Consumer Action www.consumer-action.org
Consumers for Health Care Choices www.chcchoices.org
Cyber Privacy Project
Doctors for Open Government
Ethics in Government Group
Fairfax County Privacy Council www.fairfaxcountyprivacycouncil.org
Family Research Council www.frc.org
Free Congress Foundation www.freecongress.org
Georgians for Open Government
Gun Owners of America www.gunowners.org
Health Administration Responsibility Project, Inc. www.harp.org
Just Health (California Consumer Health Care Council) www.justhealthnow.org
The Liberty Coalition www.libertycoalition.net
The Multiracial Activist www.multiracial.com
Microsoft Corporation, Inc. www.microsoft.com
The National Center for Transgender Equality www.nctequality.org
The National Coalition for Mental Health Professionals and Consumers
National Whistleblower Center www.whistleblowers.org
The Natural Solutions Foundation www.healthfreedomusa.org
The New Grady Coalition
Pain Relief Network www.painreliefnetwork.org
Patient Privacy Rights Foundation www.patientprivacyrights.org
Privacy Activism www.privacyactivism.org
Privacy Rights Now Coalition www.privacyrightsnow.org
Private Citizen, Inc. www.privatecitizen.org
Republican Liberty Caucus www.rlc.org
The Student Health Integrity Project (SHIP)
Thoughtful House Center for Autism www.thoughtfulhouse.org
Tolven, Inc. www.tolven.org
Tradition, Family, Property, Inc.
Universata, Inc. www.universata.com
U.S. Bill of Rights Foundation
You Take Control, Inc. www.y-t-c.com
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” Forrester Research
cc: Every Member of the U.S. House of Representatives
Every Member of the U.S. Senate For additional information please contact:
Deborah Peel, MD
Founder & Chair
Patient Privacy Rights