Deborah C. Peel, MD

On behalf of the

American Psychoanalytic Association

And the

Mental HealthCARE Foundation

Austin, TX

Testimony

For the

Constitution Subcommittee of the

Judiciary Committee

The United States House of Representatives

Hearing on Genetic Privacy

September 12, 2002

Chairman Chabot, Representative Conyers, and Members of the Subcommittee:

The mother of two sons under the age of five was served with divorce papers. Her father is schizophrenic. Should the risk of her having breast cancer or a mental disorder in the future keep her from having custody of her children? The couple separates. Should genetic testing of the children be used to assess their potential health problems and alter the amount of financial support their mother receives? The couple divorces. Should the mortgage company be allowed to access the results of her genetic testing to assess her life expectancy before deciding to offer a loan? Shortly after the divorce, her ex-husband was killed in a car wreck by a drunk driver. Should her husband’s genetic testing results be used to determine his life expectancy before the accident, to help insurers determine the death benefits for his sons?

This scenario is not science fiction, and it is not future shock. It can happen now in America, in 2002. It may not shock you or me, but the inability of Americans to protect their medical and genetic privacy is very real. Americans are in total denial about the federal government’s elimination of their rights to genetic and medical privacy.

The use, sale, and sharing of highly sensitive identifiable genetic and medical information for non-medical purposes is widespread, because our federal, Constitutional, and common law rights have been increasingly ignored. The genetic and medical records of our entire country, which are stored in massive databanks, are being accessed to make business, credit, insurance, educational, and employment decisions, without our knowledge or consent.

Chairman Chabot and members of the committee, thank you for inviting me to speak. I very much appreciate the opportunity to address the urgent need to protect genetic privacy. The urgency comes from the elimination of the federal right to consent to the release of medical records when the amendments to the HIPAA Privacy Rule become effective on October 15, 2002. 67 Fed.Reg. 53,182 (August 14, 2002).

In the history of the right to privacy, October 15^th will come to symbolize infamy just as December 7^th came to symbolize the most infamous attack in American history prior to Sept 11^th.

In only five weeks, the Constitutional right to the privacy of the most personal information that exists about each of us, our genetic information, will be completely stripped away. No man or woman will own or control his or her genetic and medical records, when the amendments to the Privacy Rule go into effect.

INTRODUCTION

I am a physician. My name is Deborah C. Peel. MD. I have been a practicing in Texas for over 25 years. I specialize in psychiatry and psychoanalysis. Privacy is the foundation of my work. No one would ever talk to me about their deepest problems or disclose personal information if they thought their fearful thoughts, their disturbing fantasies, their most personal memories, or their feelings of shame, guilt, and humiliation would ever be revealed. In fact, for decades, the ethical standard of practice for record keeping in psychoanalysis has been NOT to record notes of psychoanalytic sessions. The very existence of records damages trust and impairs the patient’s ability to disclose the most sensitive material.

Treatment cannot be effective if privacy is not guaranteed, because patients do not feel safe to fully disclose what is on their minds. The US Supreme Court recognized that even the threat of disclosure of the records of psychotherapy would deprive Americans of effective mental health treatment, because people would either not seek help or not trust the therapist enough to confide in him or her. (US Supreme Court, Jaffee v. Redmond, 1996) Reasoning that it was in the public’s best interest to have access to effective psychotherapy, the Supreme Court rejected “balancing” the need of federal courts to know what was communicated during the course of treatment with the privacy rights of patients in psychotherapy. The Court upheld the right to the privacy of patient-therapist communications.

I am here to speak on behalf of myself, as well as the American Psychoanalytic Association and the Mental HealthCARE Foundation. The organizations I represent share very strong interests in protecting the right to medical privacy. We want to thank you and commend you for your interest in genetic privacy, a unique component of medical privacy.

But, I’m not here only to represent professionals and advocates. The main reason I came is to speak for the rights of each and every individual American, who stand to lose one of the most vital and important Constitutional rights: the right to privacy, through the public exposure for profit, of their genetic and medical records. Frankly ladies and gentlemen, if the general public understood what has actually been taking place they would be outraged. A June 2000 Time/CNN Poll showed that 75% of those surveyed did not want any information about their genetic code revealed to their insurance company. But insurance companies are the primary depositories of the identifiable genetic information of Americans.

THE END OF GENETIC PRIVACY

Every man, woman, and child in this country will be deprived of control of his or her genetic and medical records on October 15^th. Let me walk you through what the loss of the right to privacy will mean for every American.

Beginning today, TV, radio, newspapers, and magazines in Atlanta and Denver will be saturated with ads by Myriad Genetics, Inc. encouraging women to get genetic testing for breast and ovarian cancer, at a cost of $300-$2,800.

After October 15^th, the genetic test results of every woman who undergoes screening for those cancers will become not only the commercial proprietary information of Myriad Genetics, Inc., but become the commercial property of her health plan or insurer, her employer, and also be accessible to over 600,000 other businesses and entities, as well as financial institutions, whether or not she pays for the tests herself, and whether or not she had the tests before October 15^th. Access to all genetic and medical records will be retroactive. If she refuses consent for the release of her test results, the government’s new “regulatory permission” will override her refusal.

Protecting genetic privacy is a matter of great urgency: every citizen’s right to consent to the release of his or her genetic information will be eliminated by the changes in the HIPAA Privacy Rule. By fiat, the federal government has usurped unprecedented new powers which destroy our most precious individual right, the right to be left alone, the right to privacy.

Will we allow control of the most sensitive information that exists about us to be taken from us: knowledge of the genes that make up our genome, the genetic code from which we were created? Will most of us even realize the loss until we are fired, or turned down for insurance, or denied promotions?

BRAVE NEW WORLD: Genetic Testing without privacy

Let’s look at the example of Myriad in more detail. A woman who wants to learn her risk of getting cancer by obtaining genetic testing will have her test results owned and shared by a for-profit research corporation and her for-profit insurance company or health plan. Does Myriad Genetics Inc. share genetic testing information with its business partners, currently including Dupont, Bayer, E Hitachi, Novartis, Oracle, Pharmacia, Roche, Abbott, Schering AG, Schering Plough, and Syngenta?

Myriad has an interesting business plan. First they sell genetic tests to individuals. Do they profit further by sharing these same genetic tests results with other corporations with whom they have entered into “strategic alliances”? Myriad’s financial reports for Fiscal 2002 showed “the revenue growth profit margins on predictive medicine revenues were 60%”. [From Myriad Genetics (ticker: MGYN, exchange: NASDAQ) News release- 22-Aug- 2002] Identifiable genetic information is a very valuable corporate asset.

In fact, untold numbers of individuals’ identifiable genetic testing results are in the hands of many other private, for-profit genetic testing businesses. Companies selling paternity tests are the most common. Myriad is just one example showing the kind of aggressive direct-to-consumer marketing we can expect to see far more of, which will result in the accumulation of vast amounts of sensitive individual genetic information in the hands of for-profit corporations.

The sale, use, sharing, or re-disclosure of individual genetic test results should not be permitted unless consent is obtained. Individuals should be able to choose to have genetic testing without fear of subsequent disclosure to any third parties.

For-profit health care corporations have a disturbing history of warehousing identifiable medical records in databanks and appropriating the data for corporate use, as if it were commercial proprietary information, i.e., transforming individuals’ personal medical records into corporate assets. HMOs and PBMs (pharmacy benefits management companies) are well-known examples of this industry-wide practice by for-profit healthcare corporations. This practice amounts to the illegal search and seizure of the most sensitive identifiable information that exists about each of us: our genetic and medical data.

Starting October 15, 2002, the individual right to consent to the release of genetic and medical information will be eliminated and re-disclosure of all sensitive individual medical information will become the norm as health plans invoke the new federal “regulatory permission” to gain access to everyone’s entire medical and genetic records, past and future, for any purposes related to “health care operations”. There will be no notice of any access and no audit trails.

The only way anyone can obtain genetic privacy going forward will be to have all genetic testing under an alias. If you didn’t have the foresight to obtain genetic testing in the past under an alias, you will not be able to keep the results private, because the HIPAA Privacy Rule amendments provide retroactive access to the results.

GENETIC PRIVACY AND THE CONSTITUTIONAL RIGHT TO PRIVACY

The right to genetic privacy, an aspect of medical privacy, is a key Constitutional issue, so there is no more appropriate place in Congress to consider the implications of depriving Americans of that right. Information about specific genes is the most sensitive medical information that now exists about our bodies. Soon our entire genomes will be mapped and stored (warehoused) in databanks.

Genetic information deserves a very high level of privacy protection because it reveals vitally sensitive information that is easily misinterpreted and imperfectly understood, not only about the individual who has genetic testing, but also about current blood relatives of that individual, and about future generations. Genetic test results from a single person can be used to discriminate not only against that individual, but also against literally hundreds of his or her living relatives, including parents, cousins, children, grandchildren, and all offspring.

When implemented, the amendments to the Privacy Rule will eliminate the right of each American to control the release of his or her medical and genetic records. The rights of individual citizens will be replaced by new governmental “regulatory permission” for the release of medical and genetic records, even if patients object to the release, pay privately for medical care, or if the records were created in the past with the expectation they would be kept private forever. Genetic information was NOT specifically excluded from the vast reach of the new governmental “regulatory permission” for disclosures.

Should the government be able to unilaterally deprive citizens of their most valued basic right, the right to be left alone, the right to privacy, without obtaining Congressional approval? Should the government be able to establish the precedent of depriving citizens of their fundamental rights guaranteed under the Constitution by giving blanket “regulatory permission” on their behalf? Should the government be able to deprive citizens of fundamental rights via amendments to HIPAA without a Congressional review?

In the words of Justice Brandeis, “They [the makers of the Constitution] conferred as against the Government, the right to be let alone---the most comprehensive of rights and the right most valued by civilized man.“ (Olmstead v. U.S. 1928)

The breadth and scope of the intrusions into individual medical privacy permitted in the Administration’s amendments to HIPAA are unprecedented in the history of our nation. Our courts have always affirmed very strong protections for the rights of individuals to the privacy of their personal medical information. Nothing could intrude more on individual’s rights to privacy than the loss of the ability to consent to the release of medical information. By federal fiat, the 2000 year-old principles and ethics underlying the practice of medicine have been eliminated: the right to privacy and the admonition to physicians to do no harm. When sensitive genetic and medical records can be used to harm patients, not to help them, because doctors and patients cannot stop access to the records, then the doctor-patient relationship will be destroyed, i.e., the foundation of our health care system will be destroyed.

In Sterling v. Borough of Minersville, 232 F. 3d 190 (3d Cir. 2000). A young man was accosted by a police officer who knew him and threatened to tell his grandfather that he was gay, if he would not tell his grandfather himself. The young man killed himself rather than be forced to make such a disclosure. His estate sued the police department. The Third Circuit Court found that the “right not to have intimate facts concerning one’s life disclosed without one’s consent…is a venerable one whose constitutional significance we have recognized…Sterling, 232 F.3d at 194, citing Bartnicki v. Vopper, 200 F.3d 109, 122 (3d Cir. 1999), aff’d, 532 U.S. 514 (2001).

In Ferguson v. City of Charleston, 532 U.S. 67, 78, 121 S. Ct. 1281 (2001), the Supreme Court noted that “[t]he reasonable expectation of privacy enjoyed by the typical patient undergoing diagnostic tests in a hospital is that the results of those tests will not be shared with nonmedical personnel without her consent.” As the Court further noted, “[i]n none of our prior cases was there any intrusion upon that kind of expectation.” And in a footnote, the Court stated, “In fact, we have previously recognized that an intrusion on that expectation may have adverse consequences because it may deter patients from receiving needed medical care.” Citing Whalen v. Roe, 429 U.S. 589, 599-600, 97 S. Ct. 869 (1977). And this case involved a very circumscribed effort to obtain the results of someone’s drug tests and urine samples.

On October 15^th health plans will gain open access not only to the results of a few diagnostic drug and urine tests performed in hospitals and to patient communications about sexual orientation with their physicians, but to the all the genetic and medical records of every citizen of this nation. Access to all past and future medical records, in every place where patients receive (or received) medical care, will be permitted by over 600,000 covered entities, business associates of those entities, and all their employees. The effect of eliminating the right to consent is breathtaking in its scope and comprehensive in its inclusiveness.

Never, in the history of our country has there been an invasion of medical privacy that is as pervasive as that permitted under the amendments to the Privacy Rule, which should more properly be called the Disclosure Rule.

WHY THE ‘OPTION’ TO USE CONSENT ELIMINATES CONSENT

Physicians and others will still have the ‘option’ to continue to use the consent process after October 15^th. In practice however, ‘options’ will soon cease be used, because refusing to consent to release genetic and medical information will no longer stop any data from being released. Even if patients refuse to consent to a release, the new federal “regulatory permission” will always override the patient’s refusal. Physicians and patients will quickly realize that the consent process has been rendered little more than a meaningless sham.

“Although HHS insists that the doctors will still have the "option" to allow you to give or withhold consent, the option will be at the discretion of your doctor, not you. And your doctor will be put in a very difficult position. Will it be in his or her best interest to serve you, the patient, or the insurance company that is cutting the checks? Let's say your doctor does refuse a regulatory request from your insurer for your records - there is nothing stopping the insurer from claiming that it cannot properly conduct its health care operations without your records and dropping your doctor from its network of providers for failing to comply with federal regulations.” (From “Bye-bye doctor-patient confidentiality? Your medical records may soon be up for grabs”, April 24, 2002, by Vicki Lankarge, Senior Editor at insure.com)

EFFECTS OF THE LACK OF MEDICAL AND GENETIC PRIVACY

Most patients I see in my office pay out-of-pocket for treatment in order to insure privacy. Some even pay cash, fearing bank disclosures. Many request sample medications for the same reasons. People with mental illnesses, addictive disorders, and those who were abused as children know full well that disclosure of these disorders or problems can ruin their lives, cause job loss and financial ruin, as well as causing them and their families to suffer intense shame and humiliation.

Managed care, heavily assisted and subsidized by government agencies, has accumulated the medical records of every insured and/or hospitalized patient in the entire nation. A stated promise of managed care was to identify and promote the most effective medical treatments. Instead, the primary use of the vast governmental and private databases of identifiable medical, genetic, and prescription records has been to enhance corporate profits by denying, delaying, and substituting inferior care for all costly and chronic medical illnesses (especially mental illnesses), and for the direct marketing of medications.

To have a mental illness (which has complex genetic, inherited determinants) and possibly have another genetically determined illness is a double whammy. My patients already fear that their children will be predisposed to getting the mental illnesses from which they suffer and worry that they will be discriminated against for having parents with mental illness. Additionally, others fear getting Alzheimer’s disease, breast cancer, or other cancers, because relatives have been affected. But they refuse testing to allay or confirm their fears and potentially enable early detection and treatment, because they fear the harm from unknown disclosures, since there are no audit trails of disclosures. The fear of having a predisposition to cancer or to a degenerative neurological disease will pervade their lives indefinitely and become a source of chronic stress as well as a focus in psychotherapy (from "Protecting Privacy in the Behavioral Genetics Era," a manuscript by Harold J. Bursztajn, M.D. Co-Director and Richard Sobel Ed. D, Senior Fellow, Harvard Medical School Program in Psychiatry and the Law, currently being reviewed for medical journal publication).

Genetic records have become valuable commodities. The economic value of identifiable medical records is so staggering that it has subverted the fundamental ethic of putting the patient and the patient’s needs first. My patients want to know their genetic predispositions without fear of discrimination. If they were in the Mayo Clinic system, it appears to me that their needs would be secondary. The Mayo Clinic reportedly intends to implement a three-stage plan to warehouse the personal genetic information of its 5 million patients for medical research purposes. Ultimately, Mayo hopes the world's research community will pay for access to the data (Mayo Clinic Must Guarantee Patient Consent for Genetic Database, by Twila Brase, President of the Citizens' Council on Health Care, July 2002). The Mayo effort appears similar to what has already occurred in Iceland. Iceland has sold its entire nation’s medical and genetic database to a US corporation, deCODE Genetics, Inc., which in turn plans to sell the Icelanders genetic data for profit internationally.

Today, tragically patients and their governments are being forced to choose between providing health care or providing privacy. But effective medical treatment cannot occur without ensuring privacy

Without federal protection we are fast approaching the day when the government and giant private corporations will possess the genomes of every person in America. Will they decide who receives higher education based on genetic predispositions? Will they decide who receives the best medical care based on genetics? Will they decide who is allowed to bear children? The horrific potential for eugenics and the total control of every person in the nation is

at hand.

CONSEQUENCES OF THE AMENDMENTS TO THE PRIVACY RULE

The amendments to the federal Health Information Privacy Rule published in final form on August 14, 2002 contain serious constitutional defects.

The most serious legal issues appear to be raised by the portion of the amendments that repeal a federal right on the part of all citizens to not have identifiable health information used or disclosed without their consent. This right, as a regulatory matter, was incorporated as part of the “floor” of federal health information privacy protections set forth in the original version of the Privacy Rule that went into effect on April 14, 2001. (66 Fed. Reg. 12,434)

That right will be repealed when the amendments to the Privacy Rule become effective on October 15, 2002. 67 Fed. Reg. 53,182 (The “compliance date” by which “covered entities” must implement changes mandated by the Rule is April 14, 2003, but the date on which the rights of the public are vested or are repealed is the “effective date” of the Rule and its amendments. The effective date of the amendments also is significant for the “chilling effect” it will have on communications between patients and their physicians.)

The two most significant changes contained in the amendments are

(a) They repeal the federal right of individuals to not have their identifiable health information used or disclosed without their consent; and

(b) They provide “regulatory permission” by the federal government for covered entities to use or disclose identifiable health information for the purposes of treatment, payment, or health care operations. 67 Fed. Reg. at 53,211

These amendments have the following practical effects on the right to privacy of identifiable health information under federal law:

1. Personal health information can be used and disclosed without the individual’s knowledge or consent.

2. Personal health information can be used and disclosed even over the individual’s objection.

3. The amendments apply retroactively and permit the use and disclosure of personal health information currently in medical records even if that information was disclosed to a physician or provider with the expectation that it would not be further used or disclosed without consent.

4. The blanket “regulatory permission” granted by the federal government creates a presumption that all medical information is available for use and disclosure unless the individual can assert some state law or standard of medical ethics to rebut the presumption.

5. Individuals are powerless under the amendments to prevent the use or disclosure of communications with health care professionals in the past, present or future.

The amendments to the Privacy Rule provide government permission for over 600,000 entities and literally millions of their employees and “business associates” nationwide to use and disclose the personal health information of “virtually every American”. 66 Fed. Reg. at 12,739. The only limitation is that the information be used or disclosed for “treatment, payment, or health care operations”. “Health care operations”, however, is defined so broadly as to provide little if any discernable restriction, in that it includes such activities as “business planning and development”, “business management and general administrative activities,” and “the sale, transfer, merger, or consolidation, of all or part of a covered entity and the due diligence”. 164.501

CONSUMER RIGHTS IN THE ORIGINAL HIPAA PRIVACY RULE

Any doubt about whether consumers have a reasonable expectation that their medical information will not be disclosed without their consent was removed by the findings in the rule making record of the original Privacy Rule, which states:

“Privacy is a fundamental right”. 65 Fed. Reg. at 82,464

“[F]ew experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material.” Id.

“The need for security of ‘persons’ is consistent with obtaining patient consent before performing invasive medical procedures…Informed consent laws place limits on the ability of other persons to intrude physically on a person’s body. Similar concerns apply to intrusions on information about the person.” Id.

“Comments from individuals revealed a common belief that, today, people must be asked permission for each and every release of their health information…Our review of professional codes of ethics revealed partial, but loose, support for the individuals’ expectations of privacy.” 65 Fed. Reg. at 82,472.

“…many comments that we received from individuals, health care professionals, and organizations that represent them indicated that both patients and practitioners believe that patient consent is an important part of the current health care system and should be retained.” 65 Fed. Reg. at 82,473.

“Many health care practitioners and their representatives argued that seeking a patient’s consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship.” Id.

“The comments and fact-finding indicate that our approach [requiring consent for use and disclosure of personal health information] will not significantly change the administrative aspect of consent as it exists today”. 65 Fed. Reg. at 82,474.

In the light of these findings in the rule making record, it cannot be disputed that citizens have a “reasonable expectation” that their personal health information will not be used or disclosed without their consent.

CONSTITUTIONAL DEFECTS IN THE PRIVACY RULE

The amendments to the federal Health Information Privacy Rule published in final form on August 14, 2002 violate the 1^st, 4^th, and 5^th Amendments to the Constitution.

A. Violation of 5^th Amendment

It is now well-recognized that all citizens have a “clearly established” right to privacy under the Fifth Amendment of the U.S. Constitution. The right to privacy of medical tests falls squarely within the contours of the recognized right [under the 5^th Amendment] of one to be free from disclosure of personal matters. It is now established that the United States Constitution provides some protection of individual’s privacy. Although the full measure of the constitutional protection of the right to privacy has not yet been delineated, we know that it extends to two types of privacy interests: One is the individual’s interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions. In Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564 (1928), Justice Brandeis wrote of “the right to be let alone-the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion of the government upon the privacy of an individual…must be deemed a [constitutional] violation”. (Brandeis, J., dissenting).

By granting “regulatory permission” for any covered entity to use or disclose personal health information for any citizen, the amendments eliminate the right to privacy in personal information guaranteed by the Constitution.

The degree of protection afforded by the 5^th Amendment varies with the type of information, but the constitutional protections are greater for personal matters and particularly high for medical information. Private medical information is well within the ambit of materials entitled to privacy protection under the 5^th Amendment. The disclosure of the results of medical tests falls squarely under the contours of the recognized right of one to be free from the disclosure of personal matters under the 5^th amendment. It has been recognized in various contexts that medical records and information stand on a different plane than other relevant material.

The compelled involuntary disclosure of medical information without consent warrants particularly close scrutiny under the 5^th Amendment. The right not to have intimate facts concerning one’s life disclosed without one’s consent is a venerable one.

B. Violation of the 4^th Amendment

It would also appear that the authorization granted by the government to covered entities to obtain virtually any health information about citizens would be a violation of the 4^th Amendment protections against “unreasonable searches and seizures”. Drug tests on urine samples by a public hospital were “indisputably searches within the meaning of the Fourth Amendment” in City of Charleston (2001).

Under the amendments, covered entities would be entitled to obtain all types of genetic and health information without the consent of the individuals, and even against their will, under the authority of “regulatory permission” furnished by the federal government.

C. Violation of 1^st Amendment

The amendments’ authorized use and disclosure of nearly any personal medical information that may arise in the course of communications between a patient and a physician would seem to violate the 1^st Amendment right to private conversations and to have a chilling effect on future communications between physicians and patients. The rule making record contains findings indicating that this will be the inevitable result of the amendments. Those findings state that patients who are worried about their medical privacy “often take steps to protect their privacy”, including refusing to participate fully in the diagnosis and treatment of their medical conditions, and “changing physicians or avoiding care altogether”. 65 Fed. Reg. at 82,468.

As the Supreme Court recently noted, the 1^st Amendment protects the “freedom to not speak publicly, one which serves the same ultimate end as freedom of speech in its affirmative aspect”.

Further, the fear of public disclosure of private conversations “might well have a chilling effect on private speech”. Such a “chilling effect”, according to the rule making record does, in fact, occur and has an adverse effect on access to necessary health care. “In short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.” 65 Fed. Reg. at 82,467. There is also little doubt that a constitutional violation can occur with simply a threat. The threat to breach some confidential aspect of one’s life then is tantamount to a violation of the privacy right, because the security of one’s privacy has been compromised by the threat of the disclosure.

THE GRAMM-LEACH-BLILEY FINANCIAL SERVICES ACT OF 1999: IMPACT ON GENETIC AND MEDICAL PRIVACY

This act permits financial institutions to share sensitive individual financial and medical data with affiliates and non-affiliates. Unfortunately, insurers and health plans are often affiliated with financial institutions, so individually identifiable health information can be shared and used to determine credit rates and evaluate mortgage and loan applications, not just to determine insurability or eligibility for benefits. The potential abuses of medical and genetic information by financial institutions and their affiliates and non-affiliates are virtually unlimited. Picture credit rates based on blood pressures, car loans based on HIV viral loads, or mortgages denied if your parent is diagnosed with Alzheimer’s disease or if you test positive for the breast cancer gene.

Knowing that medical and genetic data will affect credit and financial transactions can only further destroy the nation’s already compromised health care system. More and more people will totally avoid medical care, or lie about or omit important physical or mental symptoms or details, and endanger their own lives and the lives of those in their communities.

CONCLUSION

The Preamble to the Constitution states that one of the purposes of the Constitution is to “secure the blessings of liberty for ourselves and for posterity”. That is exactly what we fail to do if we allow the federal government to eliminate the right to consent to the release of medical and genetic information. Our children will lose their privacy and their liberty. James Madison’s vision was that the Constitution should protect each citizen from the government, because he understood that the real danger to private citizens would always come from entrenched government power.

Ironically, the privacy of the medical records of animals in zoos is being guarded more carefully than the privacy of human genetic and medical records. After the death of Ryma, a beloved giraffe in the National Zoo, Washington Post staff reporter D’Vera Cohn requested his medical records, necropsy, and pathology reports. “The Smithsonian Institution’s National Zoo has taken the position that viewing animal medical records would violate the animal’s right to privacy and be an intrusion into the zookeeper-animal relationship.” (National Zoo Cites Animal Privacy Concerns in Its Refusal to Release Animal’s Medical Records, by James V. Grimaldi, in the Washington Post, HEARSAY, The Lawyer’s Column, May 6, 2002, page E12). Animals are being granted their privacy rights by zookeepers just as the federal government is usurping basic human rights to privacy guaranteed under the 1^st, 4^th, and 5^th amendments to the Constitution.

This new doctrine of federal “regulatory permission” establishes a dangerous precedent. It provides a mechanism for the extraordinary centralization of power and information in the federal government and creates a mechanism to deprive citizens of basic civil liberties. The government is substituting its power in the place of the right of individuals to choose who has access to the most personal information that exists about them, their genetic and medical records. The precedent of eliminating individual’s basic rights by fiat and substituting governmental power is anathema to democracy and liberty.

Across history and across cultures, people have been willing to die for the liberty of future generations. Will we squander our precious liberty? Will we squander our privacy and that of our children and future generations? Will we fail to fulfill the promise of our Constitution?

If we allow the federal government to give “regulatory permission” to take away our basic right to privacy, what will prevent the government from taking away other basic freedoms?

REMEDIES

I believe the American public would benefit from the following actions:

1) Congress has 60 days review the major changes in the Privacy Rule proposed on August 14^th. Congress should vote down the amendments. Every US Representative and US Senator should have to vote on the rule changes, so that citizens will know whether or not their elected officials are defending the right of individuals to protect sensitive genetic and medical records by keeping the right to consent.

The right to medical privacy is important to even the holders of the highest office in the

land. If we had known Ronald Reagan had a high risk of developing Alzheimer’s disease,

would he have been elected president?

2) Restore the basic right of individuals to consent to the release of their medical and genetic information.

I believe every American, including those yet to be born, will thank you for your courage and leadership in this effort to keep the corporate health care industry and the federal government from appropriating everyone’s vital genetic and medical information. In the final analysis, the systemic breach and disclosure of genetic and medical privacy puts every American who now suffers, or will suffer from illness, at great risk of harm and discrimination.

Thank you so much for the honor of addressing you on genetic privacy, a critical issue for medicine and health care, and a basic Constitutional right.

ADDENDUM: FEDERAL HEALTH PRIVACY RULE AMENDMENTS: IMPACT ON QUALITY HEALTH CARE, A Briefing for Members of Congress and Their Staffs

August 19, 2002

FEDERAL HEALTH PRIVACY RULE AMENDMENTS:

IMPACT ON QUALITY HEALTH CARE

A Briefing for Members of Congress and Their Staffs

August 19, 2002

“…few experiences are as fundamental to liberty

and autonomy as maintaining control over when

how, to whom, and where you disclose personal material”

“The right to privacy, it seems, is what makes us civilized.”

Preamble to the pre-amendment Privacy Rule,

65 Fed. Reg. 82,464-65

1. What has happened with respect to the rights and standards for health information privacy?

Answer

On August 14, 2002, the Department of Health and Human Services issued final amendments to the current federal Privacy Rule. (67 Fed. Reg. 53182) Those amendments made radical changes in key rights and responsibilities of consumers and entities covered by the Privacy Rule that went into effect on April 14, 2001. Major changes were made in the areas of consent, marketing, minimum necessary disclosures, notice, and accounting for disclosures as well as others.

The two most significant changes were

A. The repeal of the right of consumers to not have their identifiable health information disclosed without their consent; and

B. “Regulatory permission” provided by the federal government for most uses and disclosures of identifiable health information.

[“The consent provisions of 164.506 are replaced with a new provision at 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations.”] (67 Fed. Reg. at 53,211)

2. What is the significance of the changes in the Privacy Rule?

Answer

The repeal of the right of consent eliminates the most essential and fundamental element of the “federal floor of privacy protections” for the right of medical privacy contained in the current Privacy Rule. (65 Fed. Reg. at 82,471) Without the right to give or withhold consent for the use or disclosure of protected health information, consumers will lose their power under law to protect their right to medical privacy.

Furthermore, the blanket “regulatory permission” provided by these amendments for the use and disclosure of identifiable health information sets a dangerous precedent for the proposition that the federal government may waive “fundamental rights” on behalf of citizens of the country, regardless of their wishes and even against their will. (See 65 Fed. Reg. at 82,464 where HHS recognizes that “privacy is a fundamental right.” )

Finally, the loss of medical privacy results in the loss of access to quality health care. As the preamble to the current Privacy Rule found,

“Privacy is necessary to secure effective, high quality health care.

While privacy is one of the key values on which our society is built,

It is more than an end in itself. It is also necessary for the effective

delivery of health care, both to individuals and to populations.” (65 Fed. Reg. at 82,467)

3. When will the amendments to the Privacy Rule become effective?

Answer

The effective date of the amendments to the Privacy Rule is October 15, 2002. (67 Fed. Reg. at 53, 182) The “compliance date”, the date by which “covered entities” must be in compliance with the Privacy Rule, is April 14, 2003, approximately 6 months later. (67 Fed. Reg. at 53,183)

4. Since the compliance date for the Privacy Rule is April 14, 2003,

are the rights under the pre-amendment Privacy Rule in effect?

Answer

Yes, the rights under the pre-amendment Privacy Rule, including the right of consent , vested in all Americans on the effective date established by the Bush Administration which is April 14, 2001. (65 Fed. Reg. 12,433)

In announcing the April 14, 2001 effective date of the pre-amendment rule, Secretary Thompson stated that

“President Bush wants strong patient protections put in place now.

Therefore, we will immediately begin the process of implementing

the patient privacy rule that will give patients greater access to their

own medical records and more control over how their personal

information is used. “

Secretary Thompson also stated:

“The President considers this a tremendous victory for American

consumers…”

On October 15, 2002, the effective date of the amendments, the right of consent which vested on April 14, 2001, will be repealed.

5. Under the amended Privacy Rule, who will have access to what health information without the patients’ consent?

Answer

The Privacy Rule applies to “covered entities” and their “business associates”. As the attached summary of the terms shows, covered entities are health plans (such as HMO’s and Medicare Part A and B), health care clearinghouses (entities that process health information), and health care providers (any person or entity who furnishes, bills, or is paid for health care). Business associates are a broad range of entities and individuals that provide services to or for covered entities. 160.103

HHS has estimated that the Privacy Rule affects “over 600,000 entities and virtually every American”. 66 Fed. Reg. at 12,739.

The health information that can be covered by the Privacy Rule is any virtually any identifiable health information relating to the “past, present, or future physical or mental condition of an individual”. 164.501

The amendments to the Privacy Rule would permit these covered entities and business associates to use and disclosure identifiable health information for three broad purposes-treatment, payment and health care operations. 67 Fed. Reg. at 53,211. Many of these purposes, particularly health care operations activities, are related to the business operations of covered entities rather than the need to provide health care to an individual. They include, for example, “business planning and development”, and business management and general administrative services”. The definitions of treatment, payment and health care operations are so broad that they encompass most of the uses and disclosures of health information. See attached list of activities.

Under the amendments, hundreds of thousands of entities and individuals nationwide will be able to use and disclose identifiable health information without the patient’s consent or permission so long as they contend that they need it for a purpose related to treatment, payment and health care operations. It is unlikely that any identifiable health information would be immune from use and disclosure without the patient’s consent under this standard.

6. What about the HHS’ contention that consent under the pre-amendment rule was “mandatory” and that HHS is merely making it “optional”?

Answer

Consent is only “mandatory” under the pre-amendment Privacy Rule in that it must obtained for the use or disclosure of the patient’s identifiable health information. The patient has the “option” to give or withhold consent depending on whether he or she wants identifiable health information used or disclosed.

Under the amended Privacy Rule, the patient has no option. The patient’s identifiable health information is disclosed regardless of the of the patient’s wishes. The “option” to obtain consent is only “optional on the part of all covered entities”. 67 Fed. Reg. at 53,211. If the covered entity does not wish to provide an opportunity for consent, the patient will no longer have a right under law to insist that the opportunity for consent be provided.

7. What about HHS’ contention that patients’ medical privacy can be protected by the “right to request restrictions”? (67 Fed. Reg. at 53,211)

Answer

The Privacy Rule is quite clear that covered entities are “not required to agree to a restriction” with respect to the use and disclosure of identifiable health information. 164.522(a)(1)(ii) Covered entities may have a consent process “if they wish to do so”. (67 Fed. Reg. at 53,211) Accordingly, the right to request restrictions is tantamount to a “right to beg” a covered entity to enter into a consent agreement. The patient has no right to obtain such an agreement.

8. What about rights of consent under state statutory and common law and ethical and other practice standards of medical professions?

Answer

The preamble to the pre-amendment Privacy Rule pointed out that approximately half of the states have statutory medical privacy laws that require consent for disclosure of varying types of identifiable health information and that common law in many other states recognizes that the right to privacy implies a right of consent. (65 Fed. Reg. at 82,473) Further, consent is commonly required for the use and disclosure of health information by the ethical and practice standards of professional medical associations. (65 Fed. Reg. at 82,472)

The preamble to the amendments does not contest this finding but merely states that the amendments do “not interfere with such laws and ethical standards”. (67 Fed. Reg. at 53,212) Accordingly, the final amendments tacitly acknowledge that they are out of step with state law and professional medical ethical standards. The failure to retain the right of consent as part of the floor of federal privacy protections will breed confusion and loss of trust by patients who must determine what their rights are under 50 state laws as their identifiable health information is increasingly transmitted around the country with the punch of a button.

9. Does the “minimum necessary” standard provide adequate protection for the right of medical privacy?

Answer

The “minimum necessary” standard is unlikely to provide the type of reliable privacy protection that will preserve the public’s confidence in the health delivery system. The basic concept of this standard is to limit the identifiable health information that is requested or disclosed to that which is necessary for the purpose of the use or disclosure. 164.502(b)

First, the standard only requires covered entities to use “reasonable efforts” to limit the amount of identifiable health information that is used or disclosed for a given purpose. 164.502(b)(1). Second, the range of health information subject to the “minimum necessary” standard varies with the size and sophistication of the covered entity seeking the information. As the preamble to the amendments states, “the Department’s intent [is] that the minimum necessary standard is reasonable and flexible to accommodate the unique circumstances of the covered entity.” (emphasis supplied) (67 Fed.Reg. at 53,196) Third, the minimum necessary limitation does not apply to (1) uses or disclosures required by law, (2) disclosures initiated by the individual, (3) uses or disclosures required for compliance with the Privacy Rule, and (4) disclosures to HHS for the purposes of enforcing the Privacy Rule. (67 Fed. Reg. at 53,195) Fourth, the amendments add an exemption from the minimum necessary standard for any uses or disclosures made pursuant to an authorization provided by the patient. Fifth, covered entities can request, use and disclose the patient’s entire medical record, thereby abrogating the minimum necessary standard, “provided that the covered entity has documented the specific justification for the request or disclosure…” 67 Fed. Reg. at 53,197.

The preamble states that the covered entity who holds the information always retains the discretion to make its own minimum necessary determination and that this standard is intended to be “consistent with, and not override, professional judgment and standards”. 67 Fed. Reg. at 53,197. However, covered entities are permitted to assume that any information requested by another covered entity is the minimum necessary for that covered entity’s intended purpose. (67 Fed. Reg. at 53,197) Further, it is unclear whether ethical standards, which generally do not have the force of law, would prevail over the blanket “regulatory permission” granted in these amendments for the use and disclosure of virtually all health information.

In any event, the minimum necessary standard provides little, if any, effective protection for medical information privacy.

10. What about the Administration’s contention that the elimination of the patients’ right of consent is offset by the requirement for a strengthened privacy notice? (67 Fed. Reg. at 53,211)

Answer

According to the preamble to the amendments, the privacy notice is only intended to provide patients with “the opportunity to engage in important discussions regarding the use and disclosure of their health information”. (67 Fed. Reg. at 53,200) The notice process does not provide patients with any right or power to control the use or disclosure of their identifiable health information.

Further, the amendments make clear that covered entities with direct treatment relationships with patients are only required to make “a good faith effort” to ensure that the patients receive the notice. (67 Fed. Reg. at 53,239) Covered entities without a direct treatment relationship are not required to make even this effort. (67 Fed. Reg. at 53,239)

11. What about the Administration’s claim that the consent requirement in the current Privacy Rule could have prevented access to needed health care? (67 Fed. Reg. at 53,210)

Answer

The principal reason cited for eliminating the right of consent in all situations for all consumers and all covered entities was that having to obtain consent for the use and disclosure of health information could have prevented providers from making necessary arrangements prior to their first encounter with the patient. (67 Fed. Reg. at 53,209) HHS acknowledged that commenters had suggested solutions which would ensure that the patients’ wishes would be carried out and access to health care would be preserved. However, HHS repealed the right of consent because it wanted a “global fix to the consent problems”. (67 Fed. Reg. at 53,210)

In any event, HHS indicates that it is not repealing the requirement for consent for treatment, so providers will still have to obtain consent for this purpose, but covered entities will not have to obtain consent for the use and disclosure of identifiable health information.

Thus, HHS has repealed the only effective protection which consumers had for the “fundamental right” of their medical privacy in an effort to address the concerns of certain covered entities in limited circumstances. In taking this action, HHS has ignored nearly all of the findings set for in the preamble to current Privacy Rule which show that most citizens expect and want medical privacy and the right of consent and that these protections are essential for access to quality health care. (See attached list of findings.)

For more information, contact:

Jim Pyles

Powers, Pyles, Sutter and Verville, P.C.

1875 Eye Street, NW

Washington, D.C. 20006

(202) 466-6550

e-mail: Jim.Pyles@ppsv.com

on behalf of the American Psychoanalytic Association

I. What information is covered by the Privacy Rule?-individually identifiable health information which is any information oral or recorded in any medium that

A. is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse and

B. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to the individual.

C. identifies the individual

D. there is a reasonable basis to believe that the information can be used to identify the individual 160.103

II. Who will have access to it? “Covered entities” which are

A. a health plan (including a group health plan, a health insurance issuer, an HMO, and Part A and B of Medicare)

B. a health care clearinghouse

C. health care providers

D. “business associates” of all of the above including those outside the covered entity’s work force who perform any of the following functions

1. claims processing or administration

2. data analysis

3. utilization review

4. quality assurance

5. billing

6. benefit management

7. practice management or repricing

8. legal services

9. accounting

10. actuarial services

11. consulting services

12. data aggregation

13. management

14. administrative services

15. accreditation

16. financial services

17. anyone else performing a service on behalf of a covered entity which involves the use or disclosure of identifiable health information

III. For what purposes can the information be obtained without consent or authorization?

A. Treatment-provision, coordination or management of health care and related services, consultation between providers relating to a patient or the referral of a patient from one provider to another. 164.501

B. Payment -activities by a health plan to obtain premiums or determine coverage, by a provider to obtain reimbursement

C. Health care operations

1. conducting quality assessment and improvement activities;

2. population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination;

3. contacting health care providers and patients about treatment alternatives;

4. reviewing the competence and qualifications of health care professionals;

5. evaluating practitioner and provider performance;

6. evaluating health plan performance;

7. conducting training programs;

8. accreditation, certification, licensing or credentialing activities

9. underwriting

10. premium rating

11. other activities relating to the creation, renewal, or replacement or a contract of health insurance or health benefits

12. ceding, securing or placing a contract for reinsurance of risk relating to claims for health care;

13. conducting, or arranging for medical review, legal services, and auditing functions;

14. business planning and development;

15. business management and general administrative activities;

16. the sale, transfer, merger, or consolidation or all or part of a covered entity and the due diligence;

17. creating de-identified data or a limited data set and ;

18. fundraising.

D. 12 other specified uses such as law enforcement, public health and oversight 164.501 and 164.512

HEALTH INFORMATION PRIVACY RULE

Congressional Briefing

August 19, 2002

I. History

A. August 21, 1996- Health Insurance Portability and Accountability Act enacted, section 264 requires Congress, by August 21, 1999, or the Secretary of HHS, by February 21,2000, to establish the rights that individuals “should have” with respect to individually identifiable health information.

B. September 11, 1997- Secretary of HHS submits recommendations to Congress with respect to privacy rights and standards.

C. November 3, 1999- HHS issues proposed Privacy Rule to implement section 264 of HIPAA. (64 Fed. Reg. 59,918)

D. December 15, 1999- HHS extends comment period by more than

30 days. (64 Fed. Reg. 69981)

E. December 28, 2000- HHS issues final Privacy Rule implementing section 264 of HIPAA, with an effective date of February 26, 2001. (65 Fed. Reg. 82,462)

F. February 26, 2001- HHS, under Bush Administration, delays the

effective date to April 14, 2001 in order to provide Congress an

opportunity to review the Rule under the Congressional Review Act.

(66 Fed. Reg. 12,434)

G. February 28, 2001- HHS reopens comment period of Privacy Rule

for another 30 days. (66 Fed. Reg. 12,738)

H. April 12, 2001- HHS announces that the Privacy Rule will be put into effect

on April 14, 2001 stating that “The President considers this a tremendous victory for American consumers…” (Statement by HHS Secretary Tommy G. Thompson (April 12, 2001); 65 Fed. Reg. 12,433)

I. March 27, 2002- HHS proposes major changes in Privacy Rule and provides 30-day comment period. (67 Fed. Reg. 14,776)

J. August 14, 2002- HHS publishes final amendments to Privacy Rule reversing policy announced on April 12, 2001. (67 Fed. Reg. 53,182)

II. Index to Amendments

Subject Page Final Modification

1. Marketing 53, 183 53,185

2. Health care operations 53,190 53,190

3. Protected health

information 53,191 53,192

4. Incidental uses and

disclosures 53,193 53,193

5. Minimum necessary 53,195 53,196

6. Parents and personal

representatives of minors 53,199 53,200

7. Hybrid entities 53,203 53,205

8. Group health plan

disclosures 53,207 53,207

9. Consent 53,208 53,210

10. Disclosures for TPO

of another entity 53,214 53,216

11. Restructuring

authorization 53,219 53,220

12. Research authorizations 53,224 53,224

13. Uses and disclosures

regarding FDA regulated

products and activities 53,226 53,230

14. IRB or Privacy Board

Waiver of authorization 53,229 53,230

15. De-identification of

protected health

information 53,232 53,233

16. Limited data sets 53,234 53,235

17. Notice of privacy

rights 53,238 53,239

18. Accounting of disclosures 53,243 53,244

19. Transition provisions 53,247 53,248

20. Business associates 53,248 53,250

21. Technical corrections 53,254

22. Final regulatory impact

analysis 53,255

23. Preliminary regulatory

flexibility analysis 53,260

24. Collection of information

requirement 53,260

25. Unfunded mandates 53,262

26. Environmental

impact 53,262

27. Executive order

13132: Federalism 53,262

28. Sample business

associate contract 53,262

29. Amendments to rule 53,266-269

PRE-AMENDMENT PRIVACY RULE FINDINGS

1. “Privacy is a fundamental right. As such, it must be viewed differently any ordinary economic good.” 65 Fed. Reg. at 82,464.

2. “A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy.” Id.

3. “In the Declaration of Independence, we asserted the ‘unalienable right’ to ‘life, liberty and the pursuit of happiness.’ Many of the most basic protections in the Constitution of the United States are imbued with an attempt to protect individual privacy while balancing it against the larger social purposes of the nation.” Id. (citing the Fourth Amendment’s ‘right of the people to be secure in their persons’ as an example).

4. “The need for security of ‘persons’ is consistent with obtaining patient consent before performing invasive medical procedures. . . . Informed consent laws place limits on the ability of other persons to intrude physically on a person’s body. Similar concerns apply to intrusions on information about the person.” Id.

5. “. . . ‘[F]ew experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material.’” Id.

6. “Privacy covers many things.…It protects our right to be secure in our own homes and possessions, assured that the government cannot come barging in.” 65 Fed. Reg. at 82,465.

7. “Privacy is necessary to secure effective, high quality health care. While privacy is one of the key values on which our society is built, it is more than an end in itself. It is also necessary for the effective delivery of health care, both to individuals and to populations.” 65 Fed. Reg. at 82,467.

8. “Patients who are worried about the possible misuse of their information often take steps to protect their privacy” including “providing inaccurate information to a health care provider, changing physicians, or avoiding health care altogether.” 65 Fed. Reg. at 82,468.

9. “Health care professionals who lose the trust of their patients cannot deliver high-quality care.” Id.

10. “The issue that drew the most comments overall [when the current Privacy Rule was proposed] is the question of when individuals’ permission should be obtained prior to the use or disclosure of their health information.” 65 Fed. Reg. at 82,472.

11. “Comments from individuals revealed a common belief that, today, people must be asked permission for each and every release of their health information….Our review of professional codes of ethics revealed partial, but loose, support for individuals’ expectations of privacy.” Id.

12. “While our concern about the coerced nature of these consents remains, many comments that we received from individuals, health care professionals, and organizations that represent them indicated that both patients and practitioners believe that patient consent is an important part of the current health care system and should be retained.” 65 Fed. Reg. at 82,473.

13. “Many health care practitioners and their representatives argued that seeking a patient’s consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship.” Id.

“The comments and fact-finding indicate that our approach [recognizing the individual’s right to consent] will not significantly change the administrative aspect of consent as it exists today.” 65 Fed. Reg. at 82,474.