Privacy, Confidentiality, and E-health
2. Internet and the Right to Privacy in E-health Pacific West Law Group
Another major area of interest in e-health legal issues is that of privacy. There is no greater area of potential liability for e-health companies than the unauthorized disclosure of confidential medical information about an individual. Most states have some kind of legislation protecting the confidentiality of medical information of its citizens. Federal law has also extended similar protections through the Health Care Financing Administration and its Medicare and Medicaid programs. Stringent new confidentiality requirements are now being developed as a part of the regulations under the federal Health Insurance Portability and Accountability Act of 1996 to protect individually identifiable health information from unauthorized disclosure.
2001 Report to Congress on Telemedicine, Office for Advancement of TeleHealth, (Last visited: March 17, 2003)
***Next Steps Overview
Privacy, security and confidentiality concerns are not unique to telemedicine. Industries such as banking, credit card and health care are particularly concerned about personally identifiable information and the possible consequences that could arise should sensitive information be made public. Advances in technology have brought great benefits as well as drawbacks in this area. Many view loss of privacy as part of living in the 21st Century. As Scott McNealy, Chairman and CEO of Sun Microsystems has succinctly put it: "You have no privacy-so get over it!" Fortunately, Congress, a number of state governments and privacy advocates provide a balance to this point of view.
A non-official "working definition"8 of these concepts is that Privacy is an individual's claim to control the use and disclosure of personal information. This claim is backed by the societal value representing that claim. Confidentiality is a status accorded to information that indicates it is sensitive for stated reasons and therefore must be protected and access to it controlled. Security are the safeguards (administrative, technical, or physical) in an information system that protect it and its contents against unauthorized disclosure, and limit access to authorized users in accordance with an established policy.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) not only affects employees' health insurance portability but under the Administrative Simplification (AS) provisions also mandates the development of far reaching national standards for electronic health transactions. These standards include electronic transaction standards for electronic exchange of health information for administrative purposes; standards for the privacy of individually identifiable health information; a national provider identifier; an employer identifier; and secure electronic signatures, among others.
According to the Act, the Secretary of DHHS must develop final regulations relating to privacy standards by February 2000, if Congress has not acted by August 1999. In 1997, the Secretary together with the National Committee on Vital and Health Statistics (NCVHS), which serves as the statutory public advisory body to the Secretary, sent preliminary recommendations to Congress. In the absence of Congressional action by the mandated deadline, DHHS published a notice of proposed rulemaking in November 1999. Final HIPAA privacy rules were published December 28, 2000 and an DHHS fact sheet on these rules can be found in Appendix 7. The complete text and the summary can be found at: http://aspe.hhs.gov/admnsimp.
HIPAA privacy rules cover health plans (e.g., insurers, managed care organizations, federal health programs), health clearinghouses (which unify data in standardized formats) and health care providers, who use who engage, directly or through contractual arrangements, in HIPAA standard electronic transactions. Eligible individually identifiable health information can be in electronic, paper or oral format. Thus, the general principles for the use and disclosure of personally identifiable health information are applicable regardless of the form the information is kept in, the methods of transmission, the time sequence of its creation and use, or the way it is communicated. Consequently, the proposed standards for the privacy of individually identifiable health information may greatly affect how the healthcare industry as a whole and the telemedicine industry in particular protects privacy in the future.
Potentially one of the most challenging issues for telemedicine practitioners will be DHHS' proposal for federal law to preempt state law only when state privacy law is less stringent. If state law is in conflict with federal regulatory requirements, the rules providing more stringent privacy protections should prevail. If many states have more stringent privacy laws, they would all predominate and telemedicine practitioners could be faced with a patchwork of state privacy standards. For example, should telemedicine specialists at a hospital in state A, who confer with patients in states B, C, D and E, determine which state law of the five states is the most stringent for privacy and comply with that state law?
All states have laws governing the use and disclosure of health information; however, there are wide discrepancies in protection, complexity and coverage among them. Moreover, there is typically no one statute governing health data within a state. The Health Privacy Project of the Institute for Health Care Research and Policy at Georgetown University has compiled a comprehensive 50-state survey of health privacy statutes. A summary of findings is found at the Health Privacy Project Web site at: http://www.healthprivacy.org/resources/statereports/exsum.html. At this time, it is too early to predict the impact HIPAA privacy requirements will have on the health industry at large or the telehealth industry in particular. On one hand, ensuring and maintaining patient privacy and security measures are good business practice. These practices could provide greater reassurance to those reluctant to participate in telemedicine for privacy or other reasons. On the other hand, specific requirements that do not reflect telemedicine common practices may create problems. Whether HIPAA requirements prove to be too burdensome for telemedicine practitioners or whether HIPAA will create a "chilling" effect on the industry remains to be seen.
OAT and the Assistant Secretary's Office of Planning and Evaluation have recently funded a study and a conference entitled Privacy, HIPAA and Telemedicine that will be completed in Spring 2001. The purpose of the study is to identify privacy issues unique to telemedicine and to determine how HIPAA may affect telemedicine practitioners and patients. The study will draw upon the experience of OAT's grantees, who include over 60 telemedicine networks and over 400 sites.
As we discuss in the Chapter on Emerging Trends and Policy Issues, technology changes in the industry may call for retrofitting HIPAA rules. HIPAA rules do not necessarily cover all consumer-oriented Internet Web sites that collect, store and maintain personally identifiable consumer information. Thus, this privacy measure does not cover an important telemedicine and consumer arena. A further discussion of this subject is highlighted below.
While a detailed discussion about consumer health privacy online is not within the scope of this report, it is important to note some recent findings. Over the past few years, consumer concerns about privacy on the Internet have escalated. According to a new Gallup poll commissioned by the MedicAlert Foundation, "almost 90% of participants said that, in general, the confidentiality of their personal health information was important, and almost 85% said the were "concerned" that this information could be given to others without their consent."9 The public's concern about privacy online may be justified, according to several recent reports and surveys.
***Global-Healthrax, which sells health products online, inadvertently revealed names, home phone numbers, bank account and credit card information of thousands of customers on its Web site.
***Kaiser Permanente mistakenly sent responses to members' e-mail to the wrong recipients. The email messages, some of which contained sensitive information, affected 858 members who use Kaiser's on-line services.
***Finally, thousands of patient records were accidentally made available to the public on the University of Michigan Medical center's Web site.
For example, Georgetown University recently released a report, called the Health Privacy Project (http://ehealth.chcf.org/), about the practice of privacy protocols on health related web sites. The five major findings are:
*** Consumers are using health Web sites to better manage their health, but their personal information may not be adequately protected.
***Visitors to health Web sites are not anonymous, even if they think they are.
***Health Web sites recognize consumers' concern about the privacy of their personal health information and have made efforts to establish privacy policies; however, the policies fall short of truly safeguarding consumers.
***There is inconsistency between the privacy policies and the actual practices of health Web sites.
***Health Web sites with privacy policies,that disclaim liability for the actions of third parties on the site, negate those very policies.
Other notable reports that discuss consumer privacy and the Internet include those released by the FTC (see below) and a series of publications, included in a special edition of Health Affairs, Vol. 19, No. 6. According to one, entitled Virtually Exposed: Privacy and E-Health, "a recent study of 21 leading health related Web sites found that the polices and practices of many fell short of consumers' expectations for privacy." The publication also pointed out news stories, highlighting the lax security for information shared and maintained online, as shown in Box 7. Consumers are using health Web sites to better manage their health, but their personal information may not be adequately protected.
Both the states and Congress have also responded to consumer privacy concerns by introducing a large number of bills that attempt to protect the privacy of personal information collected from the Internet. For example, Congress introduced and passed the Children's Online Privacy Protection Act of 1998. This law requires the FTC to develop regulations, protecting the privacy of personal information collected from and about children on the Internet and to provide greater parental control over the collection and use of that information. Recently, Congress introduced the Health Information Privacy Act (H.R.1941); the Medical Information Protection and Research Enhancement Act of 1999 (H.R.2470); the Consumer Privacy Protection Act (SB 2606 IS); the Consumer Internet Privacy Protection Act of 1999, (H.R.313 IH); and the Consumer Internet Privacy Enhancement Act, among other bills that seek to protect the privacy of consumers who use the Internet.
As noted in the previous Chapter, the FDA, Department of Justice and state governments all have roles in online regulation and enforcement but the FTC has emerged as a key online consumer protection regulator, overseeing privacy protection and deceptive trade practices on commercial Web sites. The FTC has published a number of reports on online consumer protection, including Protecting Consumers Online: A Federal Trade Commission Report on the First Five Years of Its Internet Law Enforcement Program, 1999. It also recently submitted a Report to Congress, entitled Privacy Online: Fair Information Practices in the Electronic Marketplace, May 2000 (http://www.ftc.gov/os/2000/05/index.htm#22). Among other things, this Report establishes the FTC's authority to regulate personal data collected online, based on Section 5 of the Federal Trade Commission Act and the Children's Online Privacy Protection Act. However, the FTC still lacks authority to require Web companies to adopt standard information practices such as its Privacy Principles. These four widely accepted information privacy principles are outlined below:
*** Notice: Provide consumers clear and conspicuous notice of information practices;
*** Choice: Offer consumers choices as to how their personal identifying information is used;
*** Access: Give consumers reasonable access to the information the Web site has collected about them;
*** Security: Take reasonable steps to protect the security of the information collected from consumers.
While the FTC continues to strongly encourage industry self-regulation, its 2000 Report Survey demonstrates that self-regulation alone has not been sufficient. According to the Report, only 20% of the busiest Web sites comply with FTC Information Privacy Principles and only about 41% of all Web sites comply with at least two principles.
In the past, the FTC has been reluctant to recommend legislative remedies but in the 2000 Report, the FTC offers legislative recommendations to Congress that would set a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites. The legislation would "require all consumer oriented commercial Web sites to the extent already covered by the Children's Online Privacy Protection Act of 1998 (COPPA), to implement the four widely-accepted fair information practice principles, in accordance with more specific regulations to follow."10
*** OAT together with the Office for the Assistant Secretary of Planning and Evaluation have funded a research paper, Privacy, HIPAA and Telemedicine, as well as a conference on the same subject. OAT and OASPE anticipate that the final paper and conference will be completed by summer 2001 and the results made available to the public both in print and on OAT's Web site, shortly thereafter.
8Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993)).
9California Healthcare Foundation, Online News (http://ehealth.chcf.org).