Major Topics  
Bioterrorism &
Health Choices
Health Care
Health Insurance  
Health Privacy  
Informed Consent  
Legal Issues  
Medicare and
Monopoly in
Patients' Rights/
Freedom to Choose


Our privacy policy  
An honest source for information about policies that affect your freedom to choose your health care treatments and providers and to maintain your health privacy—including genetic privacy.
Home | About IHF | What's New | Newsletter | Links | Search | Get e-mail Updates

February 16, 2000

Secretary Donna E. Shalala
U.S. Department of Health and Human Services
C/O Assistant Secretary for Planning and Evaluation
Attention: Privacy-P, Room G-322A
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Shalala:

The Institute for Health Freedom (IHF) is writing to comment on and seek answers to questions regarding the proposed federal rule titled "Standards for Privacy of Individually Identifiable Health Information," published in the Federal Register on November 3, 1999.

HHS Fails to Explain Clearly the Relationship Between the Proposed Privacy Rule and the Unique Health Identifier

The proposed regulations begin with an explanation of the need for new federal medical privacy regulations (see Section I. Background, pages 59919-59927). In presenting the background description, however, HHS fails to define clearly-- in terms that the average American could understand--any relationship between the proposed rule and the forthcoming "Unique Health Identifier" for individuals. Additionally, the section of the regulations titled "Statutory Basis and Purpose" [160.101] also fails to explain clearly any relationship between the proposed rule and the Unique Health Identifier.

Is there a relationship between the proposed rule and federal plans (the Health Insurance Portability and Accountability Act) for assigning every American a Unique Health Identifier? If so, what is the relationship and how is the public to learn about it? Since the regulations were proposed on November 3, 1999, has HHS held or participated in any government or private meetings regarding the proposed medical privacy rule and the Unique Health Identifier? During the past ten years, has the federal government awarded any grants or contracts to develop software and/or biotechnology systems for assigning every American a Unique Health Identifier? Has the federal government awarded any grants or contracts to develop software and/or biotechnology systems for tracking individuals' personally identifiable health information?

The public deserves to know--in clear and simple terms--exactly why the federal privacy rule is being established and its relationship to the forthcoming Unique Health Identifier and/or any tracking system that will collect personally identifiable health information--including genetic information--without individuals' consent. The public will not be able to make informed decisions about the proposed federal privacy rule until citizens know whether or not the rule would apply to the Unique Health Identifier and/or biological tracking systems--such as DNA technology.

Proposed Regulations Eliminate Patient Consent

It is ironic that, in an era of patients' rights, HHS has drafted regulations that strip patients of the right to authorize who has access to their medical information (see Section II. Provisions of the Proposed Rule). Under the proposed regulations, patient authorization will no longer be required prior to disclosing identifiable health care information in most circumstances. In fact, the proposed regulations state:

"We also propose to prohibit [emphasis added] covered entities from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law." (see page 59941)
In effect, the federal government is eliminating patient consent for disclosure of most health care information. This is clearly a move away from patients' rights and away from protecting privacy. Why, then, is HHS telling the public that they are gaining new medical privacy protections when, in fact, the federal regulations eliminate patient authorization?

Proposed Regulations Legalize Access to Patients' Personal Medical Information

Under the proposed regulations, many more people and organizations--including health plans, providers, hospitals, researchers, medical students, government agents, law enforcement officials, and others--will have legal access to patients' medical records without obtaining patients' consent. Individual authorization is not required for sharing information related to medical treatment, payment, or "health care operations"-- a broad term that encompasses many activities. The regulations read:

"After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization [emphasis added] for the following national priority activities and activities that allow the health care system to operate smoothly:
  • Oversight of the health care system
  • Public health functions
  • Research
  • Judicial and administrative proceedings
  • Law enforcement
  • Emergency circumstances
  • To provide information to next-of-kin
  • For identification of the body of a deceased person, or the cause of death
  • For government health data systems
  • For facility patient directories
  • To banks, to process health care payments and premiums
  • For management of active duty military and other special classes of individuals
  • Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure." (See pages 59925-59926)
HHS acknowledges that the regulations increase access to patients' medical records. In its proposed regulations, HHS cites a congressional report noting:
" . . .Health information is considered relatively `safe' today, not because it is secure, but because it is difficult to access. These standards improve access [emphasis added] and establish strict privacy protections." (See page 59928)
This is a contradiction. How does giving more people access to patients' medical information establish strict privacy protections? It doesn't. Rather, allowing more people to peer into patients' medical records results in less privacy.

In announcing the federal medical privacy regulations, President Clinton stated that the new rule "would greatly limit the release of private health information without consent." However, a careful review of the proposed regulations shows that is not the case. The public deserves an honest explanation about whether the proposed rule would limit or increase access to patients' medical information without their consent. Why is the public being told that the proposed rule will protect patients' medical records when, in fact, it actually legalizes access to personal medical information without patient consent?

Proposed Regulations Could Preempt State Laws

Many organizations have endorsed the pending medical privacy regulations under the misguided assumption that the federal rule will not preempt more stringent state laws. However, under the proposed rule, it is not always obvious whether a state law is more stringent; HHS' definition of "more stringent" is confusing and ambiguous. For example, how would HHS decide whether a state law is preempted in the following scenario?

Jane Doe resides in a state that requires patient authorization before personal information can be shared; the state penalty for disclosing information improperly is $5,000. On the other hand, the new federal rule stipulates that patient authorization is not required for disclosing information related to medical treatment, payment or health care operations; but the federal penalty for improper disclosure is $25,000.
Under the proposed federal regulations, which law-- the state or federal law--would be considered "more stringent?" Could the federal government interpret its new rule as "more stringent" because it imposes a greater penalty? From the patient's perspective, the state law would provide patient control of information and greater confidentiality. The state law would not permit Ms. Doe's personal medical information to flow over the Internet without her consent, but the federal rule would.

How can HHS guarantee that patients will not be stripped of their state right to medical privacy until it clearly defines what it means by a "more stringent" state law?

HHS claims that the federal rule is needed because states do not provide adequate medical privacy protections. This claim is based on findings from a report titled "The State of Health Privacy: An Uneven Terrain." However, the authors of the report point out that they did not examine state common law, where much medical privacy-related law exists. In its preface, the report reads:

"At the outset, it is important to say what this report is, and what it is not. The State of Health Privacy includes a summary of each state's major statutes related to the confidentiality of personal health information. The survey is specifically and exclusively a survey of statutes, not laws. This distinction is important: we did not research or include regulations or common law, both of which ultimately must be understood in order to appreciate the full range of protections at the state level."
How can HHS claim that people are better off with the new federal privacy rule when, in fact, the most comprehensive review of state laws did not include an analysis of common law or regulations? This is an important oversight because the regulations note that "Also, much State `privacy law'--e.g., the law concerning the physician/patient privilege--is not found in statutes, but is rather in State common law." (See page 59996).

Until State common law and regulations are examined, HHS can't declare for sure whether or not the proposed federal medical privacy regulations provide greater or weaker protection for individuals.


The proposed federal medical privacy rule should be withdrawn completely until:

  • The public is fully informed about the relationship between the proposed federal medical privacy rule and the Unique Health Identifier.
  • HHS thoroughly examines each state's existing common law and regulations regarding medical privacy.

Americans deserve to know the truth about how the proposed federal medical privacy regulations relate to the Unique Health Identifier and whether the rule will limit or increase access to individuals' personal medical information. These are very important issues that must be addressed before the public can make informed decisions about the proposed regulations.


Sue A. Blevins

Americans deserve to know the truth about how the proposed federal medical privacy regulations relate to the Unique Health Identifier and whether the rule will limit or increase access to individuals' personal medical information.
Institute for Health Freedom

1825 Eye Street, N.W., Suite 400
Washington, DC 20006

Tel: (202) 429-6610
Fax: (202) 861-1973

IHF Home | Top of page
Copyright © 1997-2005 Institute for Health Freedom.
Webmaster: Greg Dirasian