Legislation

No-name Brand Medical Records

President George W. Bush recently announced that under new federal privacy rules for health documents, which took effect on April 14, "patients will have full access to their medical records and more control over how their personal information will be used and disclosed." The rules stipulate that doctors, hospitals and other health care providers obtain written consent from patients before using or disclosing medical information for even routine uses such as treatment or billing claims. Furthermore, for the first time, patients will have a federal right to inspect and copy their records and can propose corrections. The rules cover not only paper records, but also computer files and even oral communications.

It is especially noteworthy that the new rules cover computer files, because the ease of proliferation and dissemination of personal health information on computer networks knows no boundaries. Computerization has eliminated any of the so-called "practical obscurity" that somewhat protected the privacy of hand-written (or scrawled, as the case would often be) medical records. The Hippocratic Oath comes to its end where the World Wide Web begins, and therefore patients should be diligent watch-guards over their personal health information and be vigilant in seeing that the rules are applied with respect to disclosure.

Consumer groups are correct in seeing these rules as a landmark in the history of American medicine. Now it is up to us - all of us -- being consumers of health care, to view these rules as at once a great opportunity and a wake-up call. For these rules, if taken seriously by consumers, can finally propel medical record-keeping out of its present patchwork state of chaos, health-provider paternalism and general disregard for patient privacy into a bright future of comprehensive documentation, patient-centric control of personal medical information, and privacy protection of an individual's health information.

It should be obvious to doctors that the ultimate medical record would be one kept and maintained by the person whom it concerns - in other words, the patient. We have long been taught at medical schools that over ninety per cent of diagnoses should be arrived at by means of a good history obtained from the patient. Yet the medical profession to date has not done a very good job of allowing patients access to the very information upon which the patients can base a good history.

This has traditionally made getting a good history extremely difficult, as there almost always is some piece of potentially valuable information missing. The patient thinks he had an allergic reaction in the past to penicillin; or was it tetracycline? Once on a holiday he went to a rural emergency room complaining of palpitations and apparently was told he had an electrical problem with his heartbeat; was it an innocent premature ventricular contraction, or something more ominous? Who knows? Certainly not the patient usually, as he was never given the documentation required so the doctor he is now seeing can understand.

If consumers become pro-active they can use the new federal rules to great advantage by making sure they have copies of all their relevant health information. Doctors should be their biggest advocates in this regard. After all, we know the model works; look at immunization cards. This is a medical record of immunization which for decades we have given to patients and parents of patients, enabling them and any of their health care providers to know if the tetanus boosters are up-to-date, or if the baby missed any shots.

Or consider the medical alert bracelet. This is a medical record worn on one's wrist, and something the health care profession has found enormously useful, particularly in emergency situations. Similarly, when I see a patient who has kept a record of past and present medications (even a list in the wallet suffices) it makes my therapeutic decisions that much better informed. No use trying a drug which previously failed; and best to avoid a drug which can cause an adverse reaction with another medication being taken by the patient.

Then there is the issue of costs to the health care system (and inconvenience and more, to the patient) due to tests or procedures being repeated, merely because the patient is either not sure which test was done or what the results were. Thus the blood test done last week in Los Angeles will be repeated this week in New York; or the X-ray done at one city hospital will be repeated at another. Now, thanks to the new regulations, you can obtain a copy of the result or X-ray and avoid unnecessarily repeating a test.

Finally, it is a very sensible check and balance to be able to inspect and propose corrections to your health record. Many of us routinely check the restaurant or cashier's itemizations, and certainly our bank statements. Yet before the new rules we couldn't check our medical records, where the consequences of wrong or missed information could literally be life threatening. (Once I discovered a blood test result from three years previously, stating that the patient's blood smear was consistent with a form of leukemia. The result had been inadvertently filed and never acted upon by a physician. The patient was unaware he had been diagnosed with a blood cancer; yet he certainly would have known if he himself had asked for a copy of the test results).

In addition to maintaining records of relevant health information accrued by different doctors and health care institutions in different places at different times, it would be wise for patients to keep track themselves of many of their personal medical matters. This is already being done through home monitoring by people with conditions such as diabetes and hypertension, for instance. The record a diabetic keeps of daily blood sugars is much more valuable than the occasional measurements done at a lab; blood pressures a hypertensive patient measures at home give a more accurate picture over time than those measured less frequently at the doctor's office. And here's more good news: personal record keeping of health generally leads to tighter control of and better outcomes from most diseases.

So now the question is in which way is it wisest for patients to maintain their own consumer medical record? All roads point to the information superhighway; the Internet, that is. This is clearly the tool that best suits the goal of access anywhere, any time. The problem is how to ensure the privacy of one's personal medical record on the World Wide Web.

Certainly one should never entrust any personal health information to a commercial medical Web site. The companies that run these spare no efforts in declaring they are not health care providers, which means that insofar as the new privacy rules go, they are not affected.

Indeed, the Web itself is so porous that it's not a safe place to indicate any thing at all about your personal health. If any of your personal health information finds its way to the Web, before you can say "paranoid delusion" a marketing firm will be pitching you diets for your obesity or an insurer will refuse you coverage because your Dad has Alzheimer's Disease or an employer will decline a promotion because you have high cholesterol.

Of course, that's only if it can be determined who you are. The information itself does not identify you unless it's linked to something like your name, address, e-mail, credit card or other identifying feature. So the solution then, is to record information without ever identifying yourself. Since the record is yours, and you are the one with access -well, you know who you are-so no need to identify yourself to yourself.

Indeed, I have seen scores of patients who do this already in a paper model. That list of their medications they show me, or those blood pressure measurements at home don't come with a name; they come with a "here Doc, these are the medications I'm on; these are my blood pressure readings."

It seems to me that the best way to protect the privacy of medical records is for patients to keep medical records that never say who they are; i.e. truly anonymous records. The most universal and timely access to these records would be achieved by placing them on the Internet, but only in a way that no one (including the Internet Service Provider) other than the patient could know to whom the information pertains.

The new federal rules are indeed a landmark in American medicine. Now that the government has shown its sincerity, we all should show ours. Patients and doctors should embrace the new opportunity before us all and together help the creation of useable anonymous consumer-based personal medical records that would be safely accessible on the World Wide Web. If such records existed it would be advantageous to the health of all.

April 16. 2001
Samuel Berger, MD

Oral Presentation to the Ontario Legislative Assembly Concerning the Ontario Health Privacy Act

The Chair: Dr Berger, we're back with you again in what I suspect is a first: legislative hearings in Little Current. Good morning and welcome to our proceedings. The floor is yours for the next 20 minutes.

Dr Samuel Berger: Thank you very much. I actually intended to leave some of the time for questioning, so I don't know that I'll speak the full 20 minutes. I just would like to say in introduction that I'm extremely impressed with the equipment at the Manitoulin Health Centre in Little Current. This will change the face of rural medicine. This is a pilot project here among several associations, but I was quite taken aback to find that I could speak with you from the island.

I'd like to ask, first of all, whether the comments that I submitted have been received by the committee.

The Chair: Yes, they have; thank you.

Dr Berger: Good. I'm just going to give a word of background initially. I've worked in the area of medical informatics for the last seven years and I'm currently chairman of an Internet privacy company, which is Intercilium Inc. We are developing a product which has to do with health privacy, so my interest in this area goes back for the seven years that I've worked in the field.

I'm particularly concerned about what I believe are the deficiencies of the act to address head-on the whole issue of the Internet age. I'm going to elaborate somewhat on the comments that I made in the preface. Although I've submitted several comments, there are really four main issues that I want to cover. Number one is, again, the issue of the Internet age. The second issue is legal access to personal health information.

The Chair: Doctor, could I ask you to either pan the camera to your right or move slightly to your left?

Dr Berger: OK, how's that?

The Chair: That's much better; thank you. Oh, now you've gone a bit too far.

Dr Berger: OK, one second.

The Chair: There, stop.

Dr Berger: I can hold this position.

Thirdly, I think that the act is perhaps the weakest in the areas of consent. Finally, although I didn't elaborate on this in the preface but I do refer to it in terms of 7 (a), I think that the whole issue of genetic testing and the privacy issues surrounding it must be addressed by the committee.

0940

First of all, in terms of the Internet, we have a situation here where there are commercial companies and other Web sites which are very involved in the collation and collection of personal health information. I believe if this is not specifically spelled out, if these sites are not spelled out as health care custodians, they can fall between the cracks of the entire act. Several commercial companies, for instance, are offering personal health records, personal health diaries, on the Internet, or they are involved in diet management, sports management, many different areas where they are actually asking all sorts of questions. You could go to an aerobics site that might ask questions such as, "Do you have any heart disease," or, "Do you have high cholesterol?" You've got an absolute plethora of sites out there that have tremendously sensitive information about individuals and they are able to use and distribute this information without any particular act of legislation curtailing it.

I feel it's very important to stress that the act should define-in my view, a health care custodian should be anybody who has personal health care information, whether it be a school or an employer. My particular interest is that, in the Internet age, the committee specifically delineate that Web sites which hold personal health information must protect this information. That's the first point I strongly wish to stress.

Of interest, I will mention as an aside-and I didn't address this in the brief but it's something the committee may wish to consider-there is a very big issue of physician privacy which is coming to the fore, because many of these commercial sites actually ask people, "What is the name of your family doctor?" or, "What is the health care institution that you attend?" In fact, these sites can compile databases on physicians and health care workers without the health care worker or the physician knowing that these questions are being asked about them. I think, at best, it's an invasion of privacy; at worst, it's extremely dangerous because, as you know, physicians who perform abortions, for instance, have been shot in this country. So you don't really want that information being pulled out by people on sites.

I think the committee has to look a little bit at the two sides of the coin: both the protection of personally identifiable health information of the subject whom it concerns but also to keep in mind the health care providers and their issues of privacy. But that is an aside.

Secondly-and I really debated whether to bring this issue to your attention, because I think it's the central issue that is talked about in the United States and Canada, as well as in many other jurisdictions, that being that law enforcement can summons a medical record. I must tell you, the most uncomfortable question I'm probably ever asked as a physician is when a patient says to me, "Is this information confidential?" I have to answer them, "With the exception of if your medical record is summonsed." I believe that destroys the patient-physician interaction and gives law enforcement and the judicial system a privilege that supersedes and is greater than our own privilege. I think physician-patient privilege should be at the level of solicitor-client privilege, which is recognized as the highest privilege in terms of these matters.

The concerns are becoming more acute. I refer you to an article just published by the Wall Street Journal the other day. Where court records become public, there is a new strategy out there of both individuals and organizations publishing public court documents. These court documents, based on summonses, often contain information of a medical and psychiatric nature. Again, when you enter these themes into the world of the Internet and the very strong search mechanisms on the Internet, these issues easily become very apparent. There is not the so-called practical obscurity.

In fact, there is already anecdotal evidence. One woman was searching the genealogy of her family with her daughter, and a divorce court proceeding came up in the search which referred to an affair she had had. Now, this isn't a medical matter but it came up in front of the screen-easily obtained. So anything medical and psychiatric that is contained in any public court record is going to be fair game for the world of the Internet and I think opens up tremendous privacy issues. So I would urge the committee to consider that side of things.

The other side is that nothing is sacrosanct. When you need information from people and they realize law enforcement can have access to it, it tremendously influences the medical care you can provide and the whole realm of privacy that you want to guarantee to patients. There are very good studies done by the California HealthCare Foundation in the United States which showed that one out of six Americans have done something actively to protect the confidentiality of their medical information. Usually that active thing is either withholding information or lying to health care providers. I don't believe the situation is any different in Canada. It's important to know what drugs people are using, what sexually transmitted diseases they may be susceptible to and so forth, but if people have the fear of this information being able to come up in a court document or otherwise, they will be withholding the information, which skews medical research and skews good medical care.

There was a section that I referred to in my comments about labour relations, and I'm particularly shocked by that because employers are very interested in getting information about individuals. I worked in a lot of rural communities where the employers are very actively involved through the Workers' Compensation Board-it's under a new name now-and other areas, and it does influence hireability and employability and job promotion and so forth, so I'm a little bit perplexed at the entire section where labour relations are left out of the picture by the act.

I'm going to move to the area of consent, and I can very briefly summarize this. The feeling of ourselves as a company and I think of most privacy advocates is that the principle that information given with consent for one reason should never be used for another reason without further consent should be adhered to. While I commend the committee for addressing this in terms of a research and ethics committee, that researchers, if they want to use information given for one reason or another, should have to clear an ethics review board, I think, more importantly, they should have to clear the person who first gave the information.

The concern is, if there is cover-all consent-and that's why I suggested that it's very important to put a time limit on any consent given, because sometimes you have people who say, "Yes, my medical record can be used for research," and two years later they have a positive HIV diagnosis and they don't want their records used for research any more because they don't feel comfortable with who may be getting their records, yet they signed a blanket consent without time restraint. So I would urge the committee to place into the legislation that consent must be on a per-use-with-time-limit basis in all instances and the consent must be obtained from the person from whom the information is obtained.

It's important for you to know that Minnesota has legislation that adheres to that principle. The Mayo Clinic in Minnesota actually cried a lot about that information because they do a lot of retroactive research on very good files from decades ago. They felt, "Now we have to go and ask somebody from 30 years ago or ask their heirs if we can do a new research project," but in fact the Minnesota legislation said, "Yes, you have to do that." They are finding out that most of the time it's going without problem and greater than 97% of the patients who come to the Mayo Clinic are giving widespread consent to their information being used for research. But the issue is, you have to get the consent from the individual involved.

Finally, I want to say something about genetic testing. You have a clause 7(a) which talks about individuals being dead for more than 30 years, that it's open game to find out anything. This is extremely troublesome, particularly in the world of genetic testing. I'll give you some examples.

0950

You could have somebody who at age 44 dies of Huntington's chorea. At that time, they've got a four-year-old or an eight-year-old child. Thirty years later, that child's going to be 34 years old. Maybe that child is in a position to become a CEO of a Fortune 500 company. Incidentally, about 60% of Fortune 500 companies look into the health backgrounds of prospective employees before prospective job advances. That record will be open game. If they want to solicit any record from the father of a patient, they'll be able to.

In fact, this is a very hot topic that was just addressed the other day, because in the United States there is a company that has been doing genetic testing for carpal tunnel syndrome. It's a syndrome that affects the activity of the wrist. They were doing it largely unbeknownst to employees. But what I wanted to point out is that the Genetic Alliance, which is a coalition of patient advocacy groups, did a study just of 220 respondents, but 16% of them cited bias at work and in the military based on documented cases of genetic discrimination. The survey included such cases as a woman who alleged she was denied long-term disability insurance because the company said she had a predisposition for Alzheimer's disease. Its decision was based on a doctor's scribbled notation in her medical record that her father might have the condition. Again, one has to understand that when you have 50-year-olds dying of diseases, and 30 years later their information can be studied, their own children are only going to be 50 at that time and can face tremendous discrimination for themselves and their children and so forth.

I think the act has not been cognizant enough of the entire Human Genome Project and the implications. I think a good starting place would be to say no, somebody being dead for 30 years isn't enough. I think we should increase it to at least 150 years. You use the figure of 150 years at another point in the act, to say that in terms of recorded information, it doesn't apply to information longer than 150 years.

Those are the main points that I'd like to address. I'd be happy to take any questions.

The Chair: Actually, Doctor, you've timed it very well. We have almost seconds left. Knowing myself and my colleagues, we can hardly get our names out in that amount of time, never mind pose a question and have a reasonable answer. But I do appreciate your very detailed and thoughtful presentation before us here today. If you have any supplementary thoughts, please feel free to send them to the committee. I'm sure if the committee members have any questions, we've got your particulars on file and hopefully you'd be able to respond to their questions at that time. Thank you again for joining us today.

March 1, 2001

Written Presentation Concerning Bill 159, the Ontario
Health Privacy Act.

February 28, 2001

Submitted by:

Samuel Berger, MD
Chairman and CEO
Intercilium, Inc.
One Revmont Drive
Shrewsbury, NJ 07702

PREFACE

Let us first commend the Committee for initiating this Act. Its intent is admirable, and it seeks to address the protection of information which throughout the centuries has been regarded as private and privileged. Indeed, the private nature of personal health information and the duty to protect this privacy is clearly stated in the Hippocratic Oath. Unfortunately, it is fair to say that the Hippocratic Oath has ended where the World Wide Web has begun, and where law enforcement and judicial interference has imposed its prying omnipotence. It is these concerns which we are particularly concerned with addressing, and our recommendations are as follows:

1) The Act should specifically spell out the manner in which personally identifiable health information must be protected in the online world.

2) The Act should protect information exchanged between a patient and a physician on at least the same high level as the protections offered by solicitor-client privilege; such exchanges being free, with rare exception, from the intervention of the justice system.

3) The Act should be much stronger where issues of consent are raised. Specifically, any and all use of any personally identifiable health information should require, in every instance of use, the consent of the individual to whom the information pertains.

GENERAL AND SPECIFIC COMMENTS

2. (1): "health care custodian"

This definition must be expanded to include commercial and other Web sites which solicit, collect and maintain personally identifiable health information. It should also include marketers, both on- and offline, who maintain any personal health information pertaining to identifiable individuals. We do not believe that 2. (12) is precise enough in this regard.

2. (1): "personal health information"

The Committee should be aware that it is "reasonably foreseeable" that with a bare minimum of information it is possible to clearly identify an individual through database matching and other methodologies. Achieving true anonymity of information pertaining to individuals is virtually impossible (and we urge the Committee to review research done by Latanya Sweeney of MIT in this regard). This fact makes 7 (c) an exceptional circumstance.

2. (6) "Other exceptions"

It is patently ridiculous that aboriginal healers, midwives and religious figures are exempted from the legislation. One standard should apply to all.

7. (a) The Act should apply to individuals dead for more than 30 years, as 30 years is not enough time to protect family members from the implications of genetic information which may have existed with respect to the dead person.

7. (d) The Act should certainly apply to information which relates to the employment of an individual. Exempting such information from protection opens up great potential for abuse of and discrimination based on the information.

12. (5) The Committee should be strongly commended for this clause, because, in fact, it is "reasonably possible" to keep identifiers of the individual separate from the information in nearly all circumstances, while still meeting the purpose of its use.

17. (3) (b) Where does the Committee stand with respect to e-mail? Does the Committee believe e-mail containing personal health information can be adequately protected short of using extremely sophisticated encryption methodologies? We do not. The Act should very clearly describe what it considers adequate safeguards.

18. (1) "Reasonable steps" is weak wording in the digital age. For instance, in clause (b) would hacking be considered by the Committee to be a " reasonably foreseeable threat or hazard to the security or integrity of the information"? It should.

PART V - CONSENT CONCERNING PERSONAL HEALTH INFORMATION

This section is generally weak. As stated in our Preface, we believe that all disclosure of personal health information, and in each circumstance, should require consent by the individual to whom the information pertains. With respect to (4) "Time-limited consent", there should be a requirement to specify a time after which the consent will cease to be effective. Consent for use of personal health information must not go on forever; indeed, the time period of and purpose for its use should be very clearly defined in each circumstance.

29. (1) and (2): We believe all of these circumstance should require the clear consent of the individual, with the exception of a situation in (d) where the individual is clearly too incapacitated to give consent (e.g. unconsciousness).

32. (12) We commend the Committee on this very important clause. However, we believe information given for one purpose should not be used for another purpose without the consent of the individual to whom the information pertains.

34. (1) (e) and 34. (9): As stated in our Preface, this is an extremely worrisome part of the Act. The rock upon which medical confidentiality breaks apart is the ability of law enforcement to summons medical records. The privileges of law enforcement should not supercede those of a physician with respect to his or her patient. Law enforcement should not be undermining the sanctity of the Hippocratic Oath, and we urge the Committee to speak out in favor of altogether restricting access by law enforcement and the judicial system to records containing personal health information. In addition, we beg the Committee to consider a phenomenon already taking place in the United States, namely sensitive court records going online (see "Sensitive court records go online, sparking debate over restrictions", by Jerry Markon, The Wall Street Journal, February 27, 2001). Making court documents public has taken on new meaning in the Internet age (the days of so-called "practical obscurity" are behind us), as a variety of courts and individuals are starting to post rulings and related documents on the Web, including court files which may contain medical and psychiatric records. We feel the Committee would be wise to address this issue, and prevent public court records containing personal health information from being placed online.

CONCLUSION

We at Intercilium, Inc. would like to thank the Committee for affording us consideration in both oral and written formats. While we commend the Committee on many aspects of the Act, we nevertheless find serious deficiencies, especially with respect to the realities of the Internet age, with law enforcement access, and with issues related to consent.

The comments in this brief are respectfully submitted by Samuel Berger, MD, on behalf of
Intercilium, Inc., of which he is Chairman and CEO.

February 28, 2001

Comments on the Proposed Rules:

Standards for Privacy of Individually Identifiable
Health Information

U.S. Department of Health and Human Services
Assistant Secretary for Planning and Evaluation
Attention: Privacy-P
Room G-332A
Hubert H. Humphrey Building
200 Independence Avenue SW
Washington, D.C. 2020112 February 2000

Dear Sir or Madam:

Following are the comments of Dr. Shmuel Berger, Chairman and CEO of
Intercilium Inc. (incorporated in Delaware, U.S.A, with research and
development in Israel), concerning Standards for Privacy of Individually
Identifiable Health Information, as published in the Federal Register,
November 3, 1999. Dr. Berger is an expert on the privacy protection of
personal health information.

The publication of draft standards for protecting the privacy of personally
identifiable health information is a heartening step forward. Federal rules in
this area are critical to ensure that the Hippocratic Oath does not end where
the World Wide Web begins. Although Intercilium Inc. believes that many
aspects of the Proposed Rules need significant strengthening, overall the
Administration's proposal is a step in the right direction.

The following comments relate to both specific issues, and some of the
broader issues of privacy and access to health records.

Applicability and Definitions

In general, we believe the greatest weakness of the Proposed Rules is that they do not cover enough entities, by only addressing those three which fall under the Definitions.

We are witnessing a proliferation of online health care service and content companies -- including online medical record companies -- the vast majority of which demonstrate an exceedingly poor record in addressing privacy issues. (This was documented thoroughly in the recent California HealthCare Foundation's Report on the Privacy Policies and Practices of Health Web Sites.) It is critical that the Administration make clear that these companies fall under the definition of a health care provider, to wit: "a provider of medical or other health care services…who furnishes, bills or is paid for health care services or supplies in the normal course of business."

Treatment, payment and health care operations

Health care providers should not be allowed to disclose protected health information for marketing, information for sale, rent or barter.

We must point out that if online health content and service companies are defined as health care providers, then health care providers should not be allowed to disclose protected health information for marketing, information for sale, rent or barter.

Definitions: Individually identifiable health information

We believe there is an important oversight in the list of data elements which, if removed, would make information presumed to be unidentifiable. Provider names should be added to this list.

The name of a health care provider, clinic or institute can, in and of itself, lead to many assumptions, which compromise the privacy of a consumer.

We believe that the examples of entities that would have the statistical experience to judge the probability of information being used in a way which could lead to identification must include high-tech providers and any providers of electronic health services or records on the Web.

Treatment, payment and health care operations
c. Exception for psychotherapy notes

Many primary care physicians (General Practitioners and Family Practitioners) practice psychotherapy and maintain psychotherapy notes in their records. The definition of a health care provider "who is a mental health professional" is too narrow, since neither General nor Family Practitioners are included within it.

Furthermore, we believe the term should include medication prescription and monitoring, modalities of treatment, results of clinical tests, diagnoses and symptoms, and treatment plans (see p. 59941), as these are strong indicators of precisely which mental health condition affects an individual.

Definitions
22. Protected health information

The Proposed Rules should offer protection of protected health information once inmates are released from correctional facilities.

Introduction to general rules

We applaud the Administration for its belief that "all protected health information should have effective protection from inappropriate use and disclosure by covered entities" independent of the so-called "sensitivity of such information". We strongly believe that the Rules should also mention individuals in sensitive or public positions; for example, those seeking public office, politicians or famous persons should also be strongly protected.

Right to restrict

We believe that the Rules should support a provider's right to honor an individual user's request to not even record a certain piece of information. This would ensure that the information would not be further disclosed in writing.

We believe that the Rules should clearly restrict a marketer or profiling company from being a business partner allowed to receive protected health information. Nevertheless, we are encouraged by the provisions for the scope of the contractual agreement (p. 59948)

We believe that the exception to the contracting requirement (p. 59949) is a bad one. Patients and consumers should be informed about, and consent to, the transfer of protected information in referrals and consultations, and be protected from this information inadvertently being disclosed to another health care professional who is a family friend or intimate.

Furthermore, we do not believe that business partners should be able to distribute the results of analyses to any person, subject only to the limitation that the data could not identify individuals. The problem without restriction here is that certain groups could be stigmatized by aggregate de-identified data, e.g. homosexuals, ethnic groups etc.

Deceased persons

Here we believe the Proposed Rules are at their weakest. A two-year period of restriction is inadequately short. We believe the period should be at least 20 years. There can be tremendous implications for survivors if information is released; e.g. the surviving partner of an HIV positive individual. Or worse, employers could freely request information on the deceased parents or siblings of a potential hire or an employee.

Furthermore, after a two-year period, covered entities would have carte blanche to even sell data bases of deceased persons to marketers, especially if those marketers are defined as "business partners" according to the Proposed Rules.

Individual authorization
8. Expired, Deficient, or False Authorization

We strongly believe that a covered entity must bear the responsibility of confirming the identity of a person who signed authorization. The dangers of malicious representation for authorization are simply too great for the Rules not to demand some reasonable attempt at confirmation.

Law enforcement

We believe that the Rules are much too liberal with regard to access by law enforcement. Personal health information should have the same protections as attorney-client and clergy-client relationships. It should not be accessible or admissible without individual authorization, unless the information may clearly endanger the lives of others.

Banking and payment processes

Here we also believe the Rules are inadequate and faulty. We do not think financial institutions should be privy to individually identifiable health information for any reason whatsoever, and that there are technological solutions to separate identity from information necessary for financial transactions.

Access for inspection and copying

We commend the proposed Rules here, and fully support liberal access by an individual to any records pertaining to their personal health information.

Policies and procedures

We entirely support and commend the requirement for covered entities to develop and document policies for how protected health information would be used and disclosed by the entity and its business partners; and to comply with the requirements for use and disclosure pursuant to an individual's authorization.

Summary

We regard the biggest failure of the Proposed Rules to be its limitation of scope. We believe any entity, of any kind, that keeps any record, of any kind, containing individually identifiable health information should be covered by the Rules. Nevertheless, we are encouraged by the Administration's steps, and would hope that after a further discussion period that the Rules will be considerably strengthened in the service of privacy.

As President Clinton himself has said: "We must protect our citizens' privacy - the bulwark of personal liberty, the safeguard of individual creativity."

We regard the biggest failure of the Proposed Rules to be its limitation of scope. We believe any entity, of any kind, that keeps any record, of any kind, containing individually identifiable health information should be covered by the Rules.

Nevertheless, we are encouraged by the Administration's steps, and would hope that after a further discussion period that the Rules will be considerably strengthened in the service of privacy.

As President Clinton himself has said: "We must protect our citizens' privacy -- the bulwark of personal liberty, the safeguard of individual creativity."

We thank you kindly for the privilege of submitting comments.