Health-Related Privacy
For the health care industry in particular, there are at least three ongoing developments will be worth following over the next few months. First, on February 8, President Clinton issued Executive Order 13145 – "To Prohibit Discrimination in Federal Employment Based on Genetic Information." This obligates heads of executive departments and agencies to prevent discrimination "because of protected genetic information with respect to the employee, or because of information about a request for or receipt of genetic services." Federal employers "shall not request, require, collect or purchase" such information and "shall not disclose such information" except under specified circumstances. The requested information shall not be maintained "in general personnel files."
In general, "protected genetic information" is defined to mean only "information about an individual's genetic tests," "information about the genetic tests of an individual's family members," or "information about the occurrence of a disease, or medical condition or disorder in family members of the individual."
The White House release announcing this "historic action" goes on to emphasize that the President "will also endorse the Genetic Nondiscrimination in Health Insurance and Employment Act of 1999," introduced by Senator Daschle (S. 1322) and Congressman Slaughter (H.R. 306), which is designed to "extend these protections to the private sector and to individuals purchasing health insurance." The nature and speed of congressional response to this Presidential initiative clearly merit attention.
Second, the Health Privacy Project, an Institute affiliated with Georgetown University, released the results of a study indicating that health care websites often do not follow their own published privacy statements. The report profiled 21 health-related websites. The major findings of this report are:
-
Visitors to health websites are not anonymous, even if they think they are.
-
Health websites recognize consumers' concern about the privacy of their personal health information and have made efforts to establish privacy policies; however, the policies fall short of truly safeguarding consumers.
-
There is inconsistency between the privacy policies and the actual practices of health websites.
-
Consumers are using health websites to manage their health better, but their personal health information may not be adequately protected.
-
Health websites with privacy policies that disclaim liability for the actions of third parties on the site negate those very policies.
The report's stated objective is "to alert consumers and the industry to an impending problem so the industry can address the problem before it becomes acute." Reportedly, the FTC also is taking an official interest.
Third, HHS has received an avalanche of comments on the proposed rules for the confidentiality of electronic medical records. The comment period closed on February 17, at which time HHS Asst. Secretary Hamburg advised the House Ways and Means Health Subcommittee that HHS "had received over 30,000 comments by mail or hand delivery, and another 10,000 on our website." She expressed an agency commitment "to reviewing all the public comments" using an "interagency team," but offered no suggestion as to the timing or content of the final rules.
The key areas of controversy involve the following areas, each of which has significant risk management implications:
-
The requirements that will be imposed on "business partners" of health care providers and health plans;
-
Whether patients have (or should be given) an effective right to enforce their privacy as the "third-party beneficiaries" of privacy agreements;
-
What "security levels" will be imposed on confidential data;
-
Whether all medical information, not just electronic records, will be encompassed within the regulations; and
-
Whether law firms will be treated as "business partners" and, if so, how this will affect privilege issues.
Last, the true wild card in the health care privacy debate is Congress. There is mounting pressure for Congressional intervention, and both parties recently have formed "Privacy Caucuses" to examine privacy policies. With all of this change, and the new activity at state legislatures to supplement the federal protections, carriers insuring affected industries may wish to include a review of privacy practices as a component of risk assessment.