Bob Barr

Too Many Eyes on Personal Health Data
The Atlanta Journal-Constitution

March 22, 2006

The most endangered species on the planet? It’s not the snail darter. Or the Calabasas County jumping field mouse. No; it’s the privacy of your medical information. In one of the worst examples ever of the federal government creating a problem, purporting to solve the problem and then making it much worse, the Congress and the Bush administration have made it all but impossible for you to maintain the confidentiality of your most personal information.

The problem began years ago, with the advent of the massive, government health payment system, Medicare-Medicaid. This bureaucracy blew a huge hole in the notion that the medical information of the citizenry was—as reflected in the Hippocratic Oath—confidential and sacrosanct, to be shared only by the patient, his or her doctor and the pharmacist, unless the patient consented to have the data shared more widely. Government-driven tax policies providing incentives for employer-provided health insurance made the problem infinitely worse.

In a move typical of modern, knee-jerk government, in 1996 the Congress passed the Health Insurance Portability and Accountability Act, hailed as a law that would protect the confidentiality of Americans’ personal medical information by ensuring, among other things, that patients would have the power to keep their data private unless they consented to its release. The Department of Health and Human Services thereafter began implementing cumbersome regulations, purportedly to ensure the confidentiality of patient records.

The effect of this move by HHS, however, was just the opposite. Partly as a result of pressure from industry groups, in late 2003 the department issued rules that resulted in hundreds of thousands of businesses and other organizations (“covered entities,” in the parlance of the regulations) being able to access patient medical information.

Moreover, the patient could not object, or refuse consent to have such outside entities gain access to personal health data. So long as the entity seeking access to those records was a “health-related business”—or a business that subcontracted with such an entity—it could gain access.

That’s where we are today. There are, by various estimates, 600,000 to more than 1 million of these “covered entities” out there, including some offshore, that have access without your knowledge or consent to your most personal of information—what doctors you see, what you see them about, what your prognosis is and what medications you take. And the problem’s about to get worse.

Like virtually every aspect of our lives since Sept. 11, the federal government is using the excuse of “protecting us from acts of terrorism” to snatch what little privacy we might have had left. Claiming, for example, that having a single, standardized electronic system of health data in the country would help identify possible evidence of bioterrorism attacks, the administration is pushing Congress to pass a law forcing doctors and others who create, develop and maintain medical records to do so in accordance with federal standards.

Such a so-called National Health Information Network, with electronic health records on virtually every person receiving health care, would be the death knell of private medical information in America.

Why? Because it would be absolutely impossible once you visit a doctor, purchase a prescription drug or submit a claim to your health insurer to keep that information from being immediately transferred electronically to a massive database accessible by—you guessed it—every company out there with even the most remote claim to having something to do with “health care.” Employers? You bet. Banks? Sure thing. Drug marketing firms? Of course. Law enforcement? Yessir.

Not only would the pending legislation blow an irreparable hole in the notion of patient privacy, but it would also prohibit states such as Georgia, which have laws that provide stronger protection for patient information than federal law, from doing so. The Republican Party—which in an era long, long ago could perhaps have been relied on to deep-six such an anti-individual privacy and pro-government regulation proposal—is sponsoring the legislation.

Yet, there is a solution. It is advocated by the Austin, Texas-based Patient Privacy Rights, among others from across the ideological spectrum. These organizations are proposing simply that clear language affirming that it is the patient who owns his or her medical information be incorporated into the pending legislation.

Will such a reasonable provision be included in the legislation? Only if we the people—and our doctors—demand it.

Mr. Barr occupies the 21st Century Liberties Chair for Freedom and Privacy at the American Conservative Union Foundation.