March 5, 2001
The Honorable Tommy G. Thompson
Dear Secretary Thompson:
I am pleased to have this opportunity to comment on the proposed regulation regarding medical privacy issued under the Health Insurance Portability and Accountability Act (HIPAA). Considering the unseemly rush to get the rule finalized before the end of the previous Administration, I think it is indeed prudent to look before we leap.
As you may know, I have taken a considerable interest in privacy issues. I was among the first to question the legitimacy of the "Carnivore" program at the Department of Justice, which is designed to track the Internet activity of suspected criminals without detection but threatens the privacy of every e-mail you or I send. I have also worked with Rep. Billy Tauzin to determine how well Federal government web sites protect online privacy, as defined by the Federal Trade Commission. I take the privacy of personal information very seriously.
The HIPAA regulations were drafted to address a concern that many Americans have that their personal medical records are not kept private. The lengthy document outlines complicated new requirements for patients to sign authorizations for the release of personal information under specific circumstances. It is not entirely clear to me how the new rules will actually address real medical privacy harms currently suffered by patients not already covered by tort law or other remedies. Nonetheless, the stated purpose of the rules was to improve the privacy of medical records.
The proposed HIPAA regulations, however, may actually have the opposite effect, putting private personally identifiable information at greater risk than exists today. What has not been widely reported are the rule's new mandates requiring doctors, hospitals, and other health care providers to share patients' personal medical records with the federal government, sometimes without notice or advance warning. (See, for example, Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802, Sec. 160.310.)
The federal government is probably the single largest collector and compiler of personally identifiable medical information in America. Federal computer databanks are filled with intimate details of the medical histories of millions of Americans-and often the poor, who are least able to monitor and safeguard their own rights. The Medicare and Medicaid systems, the Veterans Health Administration, and other government-run health care programs all collect the kinds of medical information the proposed privacy regulation is supposed to protect. Far from protecting privacy, the proposed regulation actually provides the federal government with more access to people's personal medical records.
A "Trust me, I'm from the government" approach just won't wash. People who are concerned about having their medical histories wind up in the wrong hands don't care whether it is their doctor or their government that threatens their privacy. They want their privacy protected.
The federal government certainly has not earned a reputation of trustworthiness in the handling of medical records or in safeguarding Internet privacy sufficient to justify the proposed regulation. Last year, Rep. Tauzin and I commissioned a study with the General Accounting Office that showed 97 percent of federal government web sites failed to meet the privacy standards recommended by the Federal Trade Commission for commercial web sites. Among the agency web sites reviewed were the Food and Drug Administration, the Health Care Financing Administration, the Veterans Health Administration, and the National Institute of Allergy and Infectious Diseases. We should first determine whether these agencies can be trusted with personally identifiable medical information before we grant them new power to collect such information.
Similarly, Rep. Steve Horn, chairman of the House Government Reform and Oversight Subcommittee, conducted a review of how well federal departments and agencies maintain computer security. The Department of Health and Human Services received a failing grade. Yet the proposed regulation would channel even more personal medical information to HHS. Before requiring health care providers to hand sensitive personal information over to HHS, Americans deserve to know that their medical records will in fact receive the highest level of protection and security.
We cannot afford to have another Department of Veterans Affairs' disaster. Last year, the VA's Office of Inspector General testified at a congressional hearing that veterans' medical records were at risk. According to an article in National Journal's Technology Daily, hackers were easily able to take total control of all veteran benefit records. This information includes mental health information and other sensitive data. Under questioning from Rep. Terry Everett, the agency's auditor said, "These weaknesses were so serious as to reveal information at the individual veteran level." Imagine the backlash if the federal government required the collection of personal medical information, and then left it vulnerable to those seeking to misuse that information-be they external hackers or disgruntled bureaucrats with an axe to grind.
In short, this proposed regulation puts the medical privacy of millions of Americans at risk. Handing sensitive medical records to federal departments and agencies that are ill-equipped to protect that information is not a solution; it is inviting abuse, errors, scandal, and tragedy.
I urge you to put the Clinton Administration's privacy regulation on hold until a comprehensive review can be conducted as to the wisdom of handing over personal medical records to the federal government-and until Americans can be convinced that this is the best way to protect their privacy. Thank you for your consideration.