Politech mailing list archives
FC: Rep. Armey asks HHS to block Clinton-era medical privacy regs
From: Declan McCullagh <declan () well com>
Date: Mon, 05 Mar 2001 14:31:37 -0500
********** Background: http://www.politechbot.com/p-01771.html http://www.politechbot.com/p-01764.html ********** From: "Diamond, Richard" <Richard.Diamond () mail house gov> Subject: Armey on medical privacy regulations Date: Mon, 5 Mar 2001 14:16:23 -0500 Mr. Armey urged Secretary Thompson to suspend implementation of the previous administration's medical privacy regs. A copy of our release is included below, along with the full text of the letter. The website version of the letter (see link below) has background links to each of the issues raised. http://www.freedom.gov/library/technology/medletter.asp Richard Diamond Office of the Majority Leader US House of Representatives 202-225-6600 / www.freedom.gov Is the Government a Threat to Medical Privacy? Another Last Minute Clinton Administration Decision Could Endanger Privacy House Majority Leader Dick Armey (R-TX) wrote to Secretary of Health and Human Services Tommy Thompson today, urging him to suspend implementation on the Clinton Administration's last-minute medical privacy regulations, suggesting they could do more harm than good to those concerned about the privacy of their records. The proposed regulation regarding medical privacy, issued under the Health Insurance Portability and Accountability Act (HIPAA), would impose a new mandate requiring doctors, hospitals, and other health care providers to share personal medical records with the federal government. According to the proposed rules, the federal government could in certain circumstances obtain this information "at any time and without notice." "It is not entirely clear to me how the new rules will actually address real medical privacy harms currently suffered by patients not already covered by tort law or other remedies," Armey wrote. "The proposed HIPAA regulations, however, may actually have the opposite effect, putting private personally identifiable information at greater risk than exists today." The federal government gathers a staggering amount of sensitive personal information about individuals. But it has a questionable record when it comes to protecting that information. A House Government Reform and Oversight Subcommittee surveyed the security practices of the federal government and gave them an overall "D-" for their ability to protect their computer systems from prying eyes. The Department of Veterans' Affairs was found to have such weak security that the sensitive medical records were put at risk. The VA Inspector General testified in the House that, "these weaknesses were so serious as to reveal information at the individual veteran level." "A 'Trust me, I'm from the government' approach just won't wash," wrote Armey. "The federal government certainly has not earned a reputation of trustworthiness in the handling of medical records or in safeguarding Internet privacy sufficient to justify the proposed regulation." "In short, this proposed regulation puts the medical privacy of millions of Americans at risk," Armey wrote. "Handing sensitive medical records to federal departments and agencies that are ill-equipped to protect that information is not a solution; it is inviting abuse, errors, scandal, and tragedy." ---- March 5, 2001 The Honorable Tommy G. Thompson U.S. Department of Health and Human Services 200 Independence Avenue, SW Washington, D.C. 20201 Dear Secretary Thompson: I am pleased to have this opportunity to comment on the proposed regulation regarding medical privacy issued under the Health Insurance Portability and Accountability Act (HIPAA). Considering the unseemly rush to get the rule finalized before the end of the previous Administration, I think it is indeed prudent to look before we leap. As you may know, I have taken a considerable interest in privacy issues. I was among the first to question the legitimacy of the "Carnivore" program at the Department of Justice, which is designed to track the Internet activity of suspected criminals without detection but threatens the privacy of every e-mail you or I send. I have also worked with Rep. Billy Tauzin to determine how well Federal government web sites protect online privacy, as defined by the Federal Trade Commission. I take the privacy of personal information very seriously. The HIPAA regulations were drafted to address a concern that many Americans have that their personal medical records are not kept private. The lengthy document outlines complicated new requirements for patients to sign authorizations for the release of personal information under specific circumstances. It is not entirely clear to me how the new rules will actually address real medical privacy harms currently suffered by patients not already covered by tort law or other remedies. Nonetheless, the stated purpose of the rules was to improve the privacy of medical records. The proposed HIPAA regulations, however, may actually have the opposite effect, putting private personally identifiable information at greater risk than exists today. What has not been widely reported are the rule's new mandates requiring doctors, hospitals, and other health care providers to share patients' personal medical records with the federal government, sometimes without notice or advance warning. (See, for example, Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802, Sec. 160.310.) The federal government is probably the single largest collector and compiler of personally identifiable medical information in America. Federal computer databanks are filled with intimate details of the medical histories of millions of Americans-and often the poor, who are least able to monitor and safeguard their own rights. The Medicare and Medicaid systems, the Veterans Health Administration, and other government-run health care programs all collect the kinds of medical information the proposed privacy regulation is supposed to protect. Far from protecting privacy, the proposed regulation actually provides the federal government with more access to people's personal medical records. A "Trust me, I'm from the government" approach just won't wash. People who are concerned about having their medical histories wind up in the wrong hands don't care whether it is their doctor or their government that threatens their privacy. They want their privacy protected. The federal government certainly has not earned a reputation of trustworthiness in the handling of medical records or in safeguarding Internet privacy sufficient to justify the proposed regulation. Last year, Rep. Tauzin and I commissioned a study with the General Accounting Office that showed 97 percent of federal government web sites failed to meet the privacy standards recommended by the Federal Trade Commission for commercial web sites. Among the agency web sites reviewed were the Food and Drug Administration, the Health Care Financing Administration, the Veterans Health Administration, and the National Institute of Allergy and Infectious Diseases. We should first determine whether these agencies can be trusted with personally identifiable medical information before we grant them new power to collect such information. Similarly, Rep. Steve Horn, chairman of the House Government Reform and Oversight Subcommittee, conducted a review of how well federal departments and agencies maintain computer security. The Department of Health and Human Services received a failing grade. Yet the proposed regulation would channel even more personal medical information to HHS. Before requiring health care providers to hand sensitive personal information over to HHS, Americans deserve to know that their medical records will in fact receive the highest level of protection and security. We cannot afford to have another Department of Veterans Affairs' disaster. Last year, the VA's Office of Inspector General testified at a congressional hearing that veterans' medical records were at risk. According to an article in National Journal's Technology Daily, hackers were easily able to take total control of all veteran benefit records. This information includes mental health information and other sensitive data. Under questioning from Rep. Terry Everett, the agency's auditor said, "These weaknesses were so serious as to reveal information at the individual veteran level." Imagine the backlash if the federal government required the collection of personal medical information, and then left it vulnerable to those seeking to misuse that information-be they external hackers or disgruntled bureaucrats with an axe to grind. In short, this proposed regulation puts the medical privacy of millions of Americans at risk. Handing sensitive medical records to federal departments and agencies that are ill-equipped to protect that information is not a solution; it is inviting abuse, errors, scandal, and tragedy. I urge you to put the Clinton Administration's privacy regulation on hold until a comprehensive review can be conducted as to the wisdom of handing over personal medical records to the federal government-and until Americans can be convinced that this is the best way to protect their privacy. Thank you for your consideration. Respectfully, DICK ARMEY Member of Congress ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: Rep. Armey asks HHS to block Clinton-era medical privacy regs Declan McCullagh (Mar 05)