The Honorable Tommy Thompson
Secretary
U.S. Department of Health and Human Services
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Thompson:

We are writing regarding the proposed modifications to the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule"), as published in the Federal Register on March 27, 2002 (67 FR 14775). We are concerned that the proposed changes will undermine the confidentiality of patient medical records. Specifically, we are concerned with the proposed elimination of the mandatory prior consent requirements and the roll-back of protections against the use of medical record information for marketing. These proposed modifications do not further privacy protection – they undermine the basic underlying principle governing privacy rights.

Privacy is a fundamental, guaranteed right. It can be found in the Constitution. It has been affirmed by the Courts, and protected through legislation and regulation.

Under federal law, individuals are currently afforded privacy rights that protect their driving records, academic history, and video rental information. If we can protect the disclosure of these pieces of information, surely we can – and must – protect medical records – the most personal, private, and sensitive information about an individual.

Congress has a long record on addressing the issue of medical privacy. The necessity of establishing national medical privacy standards was formally recognized in 1996, when Congress passed the Health Insurance Portability & Accountability Act (HIPAA). This bill, signed into law by President Clinton on August 21, 1996, had the overarching goal of protecting the privacy of medical records. It provided that if Congress did not enact comprehensive national medical record privacy standards by August 21, 1999, the Secretary of the U.S. Department of Health and Human Services should issue regulations to secure the confidentiality of medical records.

In an attempt to meet this self-imposed deadline, Senators Leahy and Kennedy introduced S. 573, the Medical Information Privacy Act (MIPSA), in March 1999. Unfortunately, Congress was unable to come to agreement and pass these comprehensive medical privacy protections.

In a further attempt to enact legislation protecting the privacy of individual medical records, Senator Boxer authored an amendment on the Fiscal Year 2001 Department of Defense Appropriations bill that would have bolstered privacy protections for individuals whose medical records are held

by the Defense Department. This amendment required individuals to provide prior, written consent in order for their medical records to be transferred outside the Department, except for law enforcement and national security purposes. This amendment passed the Senate and was enacted into law, but was effectively repealed in a later authorization bill.

In light of Congress’s ultimate failure to enact comprehensive medical privacy standards per HIPAA’s direction, the Clinton Administration released its own draft regulations in September 1999. After receiving extensive input from the diverse interests of the health care community, the Clinton Administration released its final regulation ("Privacy Rule") on December 20, 2000.

One of the underlying principles of medical privacy is patient consent. The Privacy Rule requires health providers to obtain a one-time written, informed consent from patients, prior to using protected health information for treatment, payment, or operations. There are exceptions where prior consent is not required, such as in emergency situations.

The Bush Administration’s proposal to eliminate the mandatory consent requirement takes away a core privacy protection for consumers. Asking for patients’ consent before disclosing private health information is intended to bolster patient trust and confidence in providers and in health care organizations and to respect the patient’s central role in making health care decisions. Instead of real consent, the proposed modifications to the Privacy Rule suggest that direct treatment providers only have to make a ‘good faith effort’ to get an individual’s acknowledgment they received a privacy notice. This is a much weaker standard than current consent protections. The consent requirement gives individuals some control over how their health information is used and disclosed, and we believe it is an essential component of the Privacy Rule.

We agree that there are some legitimate concerns about the operation of the consent rule in a few specific situations. However, these concerns can be addressed without undermining the entire consent provision. For example, a pharmacist could be treated as an indirect treatment provider and therefore receive the necessary information to fill a prescription without duplicative paperwork requirements. We also agree that the current rule should be clarified to ensure that the one-time prior, written consent covers instances such as: when patients are referred to specialists who need to view their records in order to properly treat them; or when a patient is referred for surgery. Addressing these situations does not require eliminating a patient’s right to grant consent.

Some opponents of the consent requirement have stated that there are likely to be other concerns with consent, in addition to the two cited above. While the Department has received tens of thousands of comments regarding the Privacy Rule – and has found these to be the central complaints – it is worth nothing that the Department continues to have the authority to modify the Privacy Rule as it is implemented. Therefore, we believe that targeted and issue-specific remedies, not sweeping regulatory changes, will satisfy these concerns.

We are also concerned about the proposed modifications to the Privacy Rule with regard to marketing. The proposed changes state that a covered entity must obtain an individual’s authorization before using or disclosing his/her information for marketing. However, the proposed modifications redefines what constitutes "marketing" in a way that would exclude most real marketing activities. The proposed definition says it is not marketing (i.e., one need not obtain an individual’s consent before sharing) "to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual.'' We believe this definition would support most everything that is marketing. ‘Recommendations for alternative treatment’ is usually motivated by profits, not medical care.

Take the following example: A patient fills a prescription for an anti-depressant at a local pharmacy. The next week, a drug company pays the pharmacy to mail that patient a pamphlet about that company’s anti-depressant. Under the proposed modification, that activity – the pharmacy being paid to mail a pamphlet detailing a drug company’s product – would not be considered ‘marketing’ and could therefore be carried out without the patient’s authorization.

Furthermore, the patient would have no way of knowing that his information had been sold and would have no way of opting out of future such mailings. The current marketing provision of the privacy rule is not flawless, but it does, at the very least, provide those two protections for individuals. The Bush Administration’s proposal provides none.

We believe that the marketing protections in the Privacy Rule need to be strengthened, not weakened. Health providers should be required to obtain prior authorization before they market to patients, and the definition of marketing should be expansive enough to include communications to encourage a patient to use a product or service where the covered entity receives payment for the communication.

Finally, we want to address those who are claiming the Privacy Rule needs to be weakened because it is not workable. Recent testimony on the Privacy Rule presented to the Senate Health, Education, Labor, and Pension Committee found that the healthcare providers in California who are implementing the Privacy Rule report that it is workable. California’s success with medical privacy serves as an example of what other states can and are in the process of achieving. Their achievements will be negated if the proposed modifications are finalized.

We strongly oppose the proposed changes to the Privacy Rule to the marketing and consent provisions. We urge the Administration to strengthen these protections to ensure patients get the privacy protections they need and deserve.

Sincerely,

Edward M. Kennedy
Patrick J. Leahy
Barbara Boxer