FC: Rep. Armey asks HHS to block Clinton-era medical privacy regs

[Declan McCullagh <declan () well com>]

**********
Background:
http://www.politechbot.com/p-01771.html
http://www.politechbot.com/p-01764.html
**********

From: "Diamond, Richard" <Richard.Diamond () mail house gov>
Subject: Armey on medical privacy regulations
Date: Mon, 5 Mar 2001 14:16:23 -0500

Mr. Armey urged Secretary Thompson to suspend implementation of the previous
administration's medical privacy regs. A copy of our release is included
below, along with the full text of the letter.  The website version of the
letter (see link below) has background links to each of the issues raised.
http://www.freedom.gov/library/technology/medletter.asp

Richard Diamond
Office of the Majority Leader
US House of Representatives
202-225-6600 / www.freedom.gov




Is the Government a Threat to Medical Privacy?
Another Last Minute Clinton Administration Decision Could Endanger Privacy

House Majority Leader Dick Armey (R-TX) wrote to Secretary of Health and
Human Services Tommy Thompson today, urging him to suspend implementation on
the Clinton Administration's last-minute medical privacy regulations,
suggesting they could do more harm than good to those concerned about the
privacy of their records.

        The proposed regulation regarding medical privacy, issued under the
Health Insurance Portability and Accountability Act (HIPAA), would impose a
new mandate requiring doctors, hospitals, and other health care providers to
share personal medical records with the federal government. According to the
proposed rules, the federal government could in certain circumstances obtain
this information "at any time and without notice."

        "It is not entirely clear to me how the new rules will actually
address real medical privacy harms currently suffered by patients not
already covered by tort law or other remedies," Armey wrote. "The proposed
HIPAA regulations, however, may actually have the opposite effect, putting
private personally identifiable information at greater risk than exists
today."

        The federal government gathers a staggering amount of sensitive
personal information about individuals.  But it has a questionable record
when it comes to protecting that information.  A House Government Reform and
Oversight Subcommittee surveyed the security practices of the federal
government and gave them an overall "D-" for their ability to protect their
computer systems from prying eyes.

        The Department of Veterans' Affairs was found to have such weak
security that the sensitive medical records were put at risk.  The VA
Inspector General testified in the House that, "these weaknesses were so
serious as to reveal information at the individual veteran level."

        "A 'Trust me, I'm from the government' approach just won't wash,"
wrote Armey.  "The federal government certainly has not earned a reputation
of trustworthiness in the handling of medical records or in safeguarding
Internet privacy sufficient to justify the proposed regulation."

        "In short, this proposed regulation puts the medical privacy of
millions of Americans at risk," Armey wrote.  "Handing sensitive medical
records to federal departments and agencies that are ill-equipped to protect
that information is not a solution; it is inviting abuse, errors, scandal,
and tragedy."

----

                                        March 5, 2001

The Honorable Tommy G. Thompson
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, D.C. 20201

Dear Secretary Thompson:

        I am pleased to have this opportunity to comment on the proposed
regulation regarding medical privacy issued under the Health Insurance
Portability and Accountability Act (HIPAA).  Considering the unseemly rush
to get the rule finalized before the end of the previous Administration, I
think it is indeed prudent to look before we leap.

        As you may know, I have taken a considerable interest in privacy
issues.  I was among the first to question the legitimacy of the "Carnivore"
program at the Department of Justice, which is designed to track the
Internet activity of suspected criminals without detection but threatens the
privacy of every e-mail you or I send.  I have also worked with Rep. Billy
Tauzin to determine how well Federal government web sites protect online
privacy, as defined by the Federal Trade Commission. I take the privacy of
personal information very seriously.

        The HIPAA regulations were drafted to address a concern that many
Americans have that their personal medical records are not kept private.
The lengthy document outlines complicated new requirements for patients to
sign authorizations for the release of personal information under specific
circumstances.  It is not entirely clear to me how the new rules will
actually address real medical privacy harms currently suffered by patients
not already covered by tort law or other remedies.  Nonetheless, the stated
purpose of the rules was to improve the privacy of medical records.

        The proposed HIPAA regulations, however, may actually have the
opposite effect, putting private personally identifiable information at
greater risk than exists today.  What has not been widely reported are the
rule's new mandates requiring doctors, hospitals, and other health care
providers to share patients' personal medical records with the federal
government, sometimes without notice or advance warning. (See, for example,
Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802, Sec.
160.310.)

        The federal government is probably the single largest collector and
compiler of personally identifiable medical information in America.  Federal
computer databanks are filled with intimate details of the medical histories
of millions of Americans-and often the poor, who are least able to monitor
and safeguard their own rights.  The Medicare and Medicaid systems, the
Veterans Health Administration, and other government-run health care
programs all collect the kinds of medical information the proposed privacy
regulation is supposed to protect.  Far from protecting privacy, the
proposed regulation actually provides the federal government with more
access to people's personal medical records.

        A "Trust me, I'm from the government" approach just won't wash.
People who are concerned about having their medical histories wind up in the
wrong hands don't care whether it is their doctor or their government that
threatens their privacy.  They want their privacy protected.

        The federal government certainly has not earned a reputation of
trustworthiness in the handling of medical records or in safeguarding
Internet privacy sufficient to justify the proposed regulation.  Last year,
Rep. Tauzin and I commissioned a study with the General Accounting Office
that showed 97 percent of federal government web sites failed to meet the
privacy standards recommended by the Federal Trade Commission for commercial
web sites.  Among the agency web sites reviewed were the Food and Drug
Administration, the Health Care Financing Administration, the Veterans
Health Administration, and the National Institute of Allergy and Infectious
Diseases.  We should first determine whether these agencies can be trusted
with personally identifiable medical information before we grant them new
power to collect such information.

        Similarly, Rep. Steve Horn, chairman of the House Government Reform
and Oversight Subcommittee, conducted a review of how well federal
departments and agencies maintain computer security.  The Department of
Health and Human Services received a failing grade.  Yet the proposed
regulation would channel even more personal medical information to HHS.
Before requiring health care providers to hand sensitive personal
information over to HHS, Americans deserve to know that their medical
records will in fact receive the highest level of protection and security.

        We cannot afford to have another Department of Veterans Affairs'
disaster.  Last year, the VA's Office of Inspector General testified at a
congressional hearing that veterans' medical records were at risk.
According to an article in National Journal's Technology Daily, hackers were
easily able to take total control of all veteran benefit records.  This
information includes mental health information and other sensitive data.
Under questioning from Rep. Terry Everett, the agency's auditor said, "These
weaknesses were so serious as to reveal information at the individual
veteran level."  Imagine the backlash if the federal government required the
collection of personal medical information, and then left it vulnerable to
those seeking to misuse that information-be they external hackers or
disgruntled bureaucrats with an axe to grind.

        In short, this proposed regulation puts the medical privacy of
millions of Americans at risk.  Handing sensitive medical records to federal
departments and agencies that are ill-equipped to protect that information
is not a solution; it is inviting abuse, errors, scandal, and tragedy.

        I urge you to put the Clinton Administration's privacy regulation on
hold until a comprehensive review can be conducted as to the wisdom of
handing over personal medical records to the federal government-and until
Americans can be convinced that this is the best way to protect their
privacy.  Thank you for your consideration.

                        Respectfully,
                                        DICK ARMEY
                                        Member of Congress




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------