Privacy Rights Clearinghouse
COMMENTS TO U.S.
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Submitted by the Privacy Rights Clearinghouse
September 13, 2010
Department of Health and Human Services
Office for Civil Rights
Attention: Privacy and Security Rule Modification
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, SW
Washington, DC 20201
Submitted via: www.regulations.gov 
RE: RIN 0991-AB57 – Privacy and Security Rule Modification Federal Register, July 14, 2010, 75 Federal Register 40868, http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf .
The Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the Department of Health and Human Services (HHS) proposed modifications to existing Health Insurance Portability and Accountability Act (HIPAA) rules. We direct our comments as follows:
The Heath Information Technology for Economic and Clinical Health (HITECH) Act of 2009 calls for certain changes to previously issued HHS rules regarding privacy of individuals’ medical records (the Privacy Rule), security of electronic health records (Security Rule), and enforcement of the security and privacy provisions (Enforcement Rule). The current rule proposal encompasses the HITECH modifications for all three HIPAA rules.
Generally, the proposed rules are a step forward in ensuring that individuals have control over their private medical information. Additionally, HITECH and the proposed rules also add much needed force to HHS’s responsibility and ability to enforce and remedy violations. We limit our comments here to issues concerning proposed modifications to the Privacy Rule and the proposal to establish educational programs within Office of Civil Rights (OCR) Regional Offices.
HHS solicits comment on how the opt out should apply to future subsidized treatment communications and whether individuals should be given an opportunity to opt out of receiving treatment communications before receiving such communications. HHS, unfortunately, is not considering the alternative of establishing an opt in, or authorization of the individual to receive treatment communications.
First, we believe the exclusion of treatment communications from the definition of marketing creates a significant loophole in HITECH’s general assumption that communications made for payment are marketing communications that require the individual’s valid authorization. The HITECH provision is really quite simple: If payment from a third party is involved, the communication is marketing. As long as remuneration is involved, there are no safeguards to ensure that communications are made for the patient’s benefit and not commercial gain. HHS should reconsider the treatment exception.
In the alternative, patient consent, or an opt in, should be provided when a covered entity receives remuneration for advising patients about various treatments or health-related products. Including an opt-out opportunity with the covered entity’s required privacy notice is insufficient to allow patients to make an informed choice. It is almost certain that few patients actually read multiple-page privacy notices.
When a patient appears for an appointment, the most important thing on their mind is to receive treatment for their current condition. If HHS persists in its proposal to allow only an opt out for paid treatment communications, as a minimum the opt out should be presented in a separate document apart from the covered entity’s notice of privacy practices. This approach, however, would provide a weak alternative to a true opt in.
An opt out not only fails to give patients adequate notice, but also creates an additional burden for the provider. Under the proposed scheme, a provider would be required to establish a toll-free number, an e-mail address or some other mechanism for processing opt-out requests.
A less burdensome scheme for providers and patients would be for HHS to categorize all communications that involve remuneration from a third party as marketing. Then a provider that receives payment from a third party could simply ask for the patient’s authorization at the time treatment is first received. This would reduce patient confusion and avoid the necessity for the provider to revise privacy notices and establish a mechanism to process patient opt-out requests.
In the end, an opt-out scheme is simply unworkable as a means to putting patients on notice. The proposed rules also lack a way for the patient to verify that their opt out has been processed. In addition to failure to inform patients and added burdens on covered entities, an opt-out scheme creates another layer of enforcement responsibilities for HHS, one that is likely to receive low priority.
In addition to modifications to the Privacy, Security and Enforcement Rules, HITECH requires HHS to designate regional office privacy advisors to offer guidance and education. Education and guidance will be available for covered entities, business associates, and individuals. HHS, in the current rulemaking, has not requested comment on the extent or focus of such education. However, the PRC takes this opportunity to suggest some areas of guidance that would be helpful to individuals and covered entities alike.
One of the prime missions of the PRC is to provide one-on-one answers to consumers who contact our telephone hotline or submit questions to our online inquiry form. Inquiries cover a wide range of privacy issues, including telephone privacy, credit reports, employment background checks, financial privacy, collections, Internet privacy, and more.
Questions about medical privacy are one of the top reasons consumers call the PRC or submit written questions. This experience makes the PRC uniquely qualified to suggest areas where individuals need guidance and education. We note that PRC also frequently receives questions from covered entities and attorneys who are acting on behalf of patients or covered entities.
Major areas of concern evident from our public inquiries are: (1) careless handling of medical records; (2) undue restrictions placed on access to records; and (3) questions about personal information patients must supply to health care providers and insurers.
Careless handling of medical records has prompted several complaints to the PRC in recent months. Typically, the individual who contacts PRC has ordered their own medical records by mail and receives another person’s records instead. In some cases, the individual receives some of his or her records mixed with another person’s records. Others have complained of repeated attempts to stop a covered entity from faxing patient records to the wrong fax number. In another instance, a person left a hospital thinking the package contained her own medical records only to later find that the package included records of multiple other patients.
Individuals have also reported undue restrictions, not included in HIPAA, placed on their ability to get copies of medical records. For example, some patients have been told they cannot get copies of their medical records unless an outstanding medical bill is paid. Others have been told the office charges a flat rate for copies of medical records. In one instance the patient’s notarized signature was required before records were provided. We do not believe such instances represent ill will on the part of providers, but rather a lack of adequate training, particularly for small providers.
Forms of identity required to provide treatment or health insurance has also raised a number of privacy concerns. Individuals have reported being required to provide copies of their Social Security card or driver’s license. Others have reported cameras in treatment offices or being required to be photographed.
Several individuals have expressed concern that their health insurer has threatened to deny benefits unless they provide extensive identifying information such as Social Security numbers and birth records.
Required forms of identification is one area where individuals, providers, and insurers need guidance from HHS. On the one hand, individuals are quite concerned today about the threat of identity theft and have been educated, as a preventive measure, to closely guard personal information, particularly their Social Security number. On the other hand, medical identify theft is a major problem, the scope of which has only recently come to light. This is truly an area where balancing interests through guidance from the government is needed.
In 2005 the PRC began to compile a chronology of data breaches documented primarily by news reports. By August 26, 2010, the PRC had compiled a record of more than 500 million sensitive records that had been involved in a data breach incident. PRC’s August report is available at: www.privacyrights.org/500-million-records-breached  .
The PRC’s list of data breaches is found here: http://www.privacyrights.org/data-breach#CP  . Please note that the user can create customized lists by type of breached entity (medical, for example, or educational), type of breach (portable media, for example) and the year.
As of this writing, since 2005, 14,534,477 sensitive medical records have been involved in data breach incidents. Information exposed has included all manner of personal data including medical diagnoses, Social Security numbers, driver’s license numbers, name, home address, birth dates, financial account information, and more. Alarming as this number is, it is even more troublesome to find that many of these breach incidents involved electronic medical records stored unencrypted on lost or stolen electronic devices, data that is subject to the HIPAA Security Rule.
Without a doubt, the unacceptable number of incidents involving sensitive medical records points to an urgent need for HHS to take a strong stand in enforcing the Security Rule and in seeking adequate remedies against entities that fail to provide adequate safeguards.
We further recommend that the HHS expand the descriptive information it provides in its own list of medical breaches. The bare-bones data included in this list is not sufficient to inform providers, practitioners, patients and consumers about such breaches. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html 
Our most immediate concern is that HHS has created an unwarranted loophole in HITECH’s clear mandate that communications in which a covered entity receives payment is a “marketing” communication that requires the individual’s authorization. We strongly urge HHS to reconsider this proposed exception to marketing when communications are for treatment.
We also urge HHS to take prompt steps to establish much needed guidance and education facilities in regional offices. HHS should consider establishing a telephone hotline, an online inquiry form, and/or a public forum to provide direct, one-on-one answers to individuals and covered entities. As discussed in Part 3 above, PRC’s experience has shown that all parties involved have both misunderstandings and a lack of basic knowledge about medical privacy and the limitations of the rules. HIPAA, without question, is a very complex set of rules, and the guidance needed goes beyond what can be accomplished through written materials alone.
Again, the PRC appreciates the opportunity to provide the above comments on the proposed modifications to the HIPAA rules required by HITECH.
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 5th Ave., Suite B
San Diego, CA 92103
The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org