[February 1996; Vol. 23 No. 1]
Here is an account of MPS responses to the assertions about patient confidentiality that Maryland’s Health Care Access and Cost Commission (HCACC) has circulated. MPS committees and leadership continue to work on this important issue. See also Beverly Woodward’s article in the New England Journal of Medicine, November 23, 1995, where she asserts “entering data into a computer network is a form of publication and, like any other publication of medical information, should require the patient's consent.”
The following are HCACC’s original questions and answers followed by the MPS response.
Why is the HCACC collecting information about medical expenditures?
HCACC: “In 1993, the Maryland General Assembly passed legislation creating the Health Care Access and Cost Commission (“HCACC” or “the Commission”). Much of the debate on health care costs and access has occurred in a vacuum of reliable and accurate information. This is particularly true of non-hospital services. Among its many duties, the HCACC was required to create the Maryland Medical Care Data Base. (Health General Article §19-1507). The Commission is to report annually on the variations in fees charged and utilization of health care practitioner services. The first report is scheduled to be released February 1, 1996. The purpose of the report is to separate fact from fiction, thereby allowing purchasers and policy makers to make better decisions on health care spending. In addition, with all of the significant changes occurring in our delivery system, this data base can be used to judge whether or not the changes have, in fact, improved access and lowered costs.”
MPS: “While the data base initiative has arisen from a well-motivated desire to improve health care, the probable value of the effort is extremely doubtful either for health care planning or consumer protection purposes. HCACC’s description of the purpose of the data base, and explanation of its utility, is both vague and speculative. Serious questions exist about both the reliability and usefulness of claims-based data in research and planning. The dubious value of the data does not begin to justify its cost in terms of patient privacy, potential deterrence of treatment and financial expense.”
What type of information is being collected?
HCACC: “In 1995, the Commission began with a voluntary program of data submission. Medicare and Medicaid -- the two major public payers -- and ten private sector payers supplied the Commission with claims information for 1992 and 1993. This information does not include patient names and addresses, nor does it include detailed clinical information from the medical record. Instead, the data include an encrypted patient identifier (to which the payer retains the key), along with charges, payments, procedures performed, and limited demographic information. The HCACC requested that payers provide the encrypted identifier to assist in removing duplicate and adjustment billings that commonly exist in such databases. Were these edits not applied, there could easily be double or triple counts of services. The Commission has recently adopted regulations that will require third party payers to submit similar claims information beginning in 1997. (COMAR 10.25.06). The payers will submit information on all fee-for-service encounters (whether primary care or specialty care) and specialty care encounters in which the provider is paid by capitation. All of the data items collected are authorized by the Commission’s enabling statute.”
MPS: “HCACC’s description of the information it is collecting is incomplete. While patient identification numbers are encrypted, it is simultaneously collecting unencrypted demographic data about each such patient, including sex, exact birth date, and zip code, which would make tracing patient identities an easy matter in many cases. Moreover, for each patient encounter included in the data base, HCACC is requiring diagnostic and treatment information. Such highly stigmatic conditions such as sexual dysfunctions, psychiatric problems of all sorts, and HIV positivity are included, specifically correlated with the other patient-identifying data described above.
HCACC’s characterization of its current data collection program as “voluntary” is also misleading. While “voluntary” for payers, it will not remain so. In any case, it is the privacy rights of patients which are jeopardized by the data base; and in no sense is HCACC’s data collection “voluntary” for them, either now or as planned for the future. Since the only possible justification for the data base is to promote patient welfare, it obviously should be the patient, and not the payor, who should be deciding whether to authorize such submission of data.”
What is the HCACC doing to protect confidentiality of the information?
HCACC: “The Commission takes its responsibility to protect the confidentiality of this information very seriously. The Commission is required by law to protect the confidentiality of the information it is collecting. There is specific statutory reference in the HCACC’s enabling statute to protect the data (Health General Article §19-1507(c) and §19-1511(a)). The Commission is also bound by the provisions of the Maryland Medical Records Act (Health General Article §4-301 et seq.). As indicated earlier, in its initial data collection phase, the patient identifying number is encrypted by the payer. The Commission has also established procedures to severely limit access to the information and to bind its employees and contractors who have access to the data to strict confidentiality protocols. The Commission has a range of options available, including prosecution, if an employee or contractor violates the procedures. Although no security plan is foolproof, the Commission believes the procedures and processes provide ample safeguards. It should also be noted that neither the Commission nor the contractor supports dial-up access; it is not possible for a hacker at a remote location to gain access via a modem and telephone line.”
MPS: “Although HCACC correctly states that its enabling statute requires it to prescribe regulations to keep information confidential, the statute provides no sanctions whatever for breaches of confidentiality or standards concerning what information is to be deemed confidential and how it is to be protected. Leaving these matters to HCACC’s administrative discretion is not appropriate.
The Maryland Medical Records Act, which HCACC likewise cites as assuring the confidentiality of its data base, is aimed principally at the regulation of health care providers. See §4-302(a). It is unclear to what extent, if at all, it applies to HCACC or people whom it permits to have access to its data base. Moreover, because HCACC’s own fact sheet strains to differentiate between the so-called “medical billing information” it is collecting, and “medical records,” it is unclear to what extent HCACC actually construes its data base to contain “medical records” subject to the Medical Records Act’s protection.
In any event, a “knowing” violation of the Medical Records Act is a misdemeanor with a maximum first-time fine of $1000 and there is no sanction whatever against negligent disclosure. Such minimal protection against agency error or misconduct by HCACC staff or those to whom it releases information provides little safeguard to Maryland health care consumers.
While the Commission states that it intends to assure confidentiality, its commitment to date appears modest at best. For example, the Commission’s proposed recommendation for handling negligent first-time breaches of confidentiality by staff members is to require “counseling to avert future occurrences.” See HCACC Draft Privacy and Security Plan of August 31, 1995 at p.2.
HCACC’s assurance that it is protecting confidentiality through encryption of patient identities is equally inadequate. While requiring encryption of patient identification numbers, HCACC is simultaneously compiling other unencrypted patient identifying information in its records, such as precise dates of birth and zip codes, which can be easily used to trace specific patient identities through “matching” against other State data bases or privately maintained but publicly available data bases. Moreover, encryption is always vulnerable to decoding and requires continual revamping to outpace the ever-growing expertise of those who desire to penetrate it. Relying on today’s encryption methods to protect archived data over the long run is highly questionable, especially in view of the rapidity of technological change.”
Is the State creating an “on line” Medical Record?
HCACC: “No. The Commission does not have the authority to create an “on line” medical record. There may be private sector health care institutions and payers that are creating such medical record systems, but the State of Maryland is not part of those efforts. As noted above, the Commission is collecting certain medical billing information and not the complete medical record.”
MPS: “HCACC’s contention that it is not creating “on line” medical records is untenable. HCACC seeks to distinguish its gathering of so-called “medical billing information” from collection of “medical records.” The “billing information” HCACC is collecting, however, includes detailed diagnostic and treatment information for the vast majority of patient encounters in Maryland, specific demographic information about the patient, and encrypted ID numbers. A patient’s medical diagnosis is obviously the heart of any “medical record” and is precisely the information which most patients would want both to keep confidential, and subject to their own control, rather than State control. HCACC’s compilation of these diagnoses over time will result in its having an abbreviated medical history for every Maryland citizen, without first obtaining the patient's fully informed consent. Any lack of “completeness” of the medical records HCACC is collecting does not diminish the egregious invasion of patient privacy occasioned by HCACC’s current and proposed future data-collection efforts.
While it is true that HCACC's current data collection is not “on line”, HCACC concedes that its mission is to encourage the adoption of electronic claims submission for that purpose. Indeed, its enabling statute specifically provides that it “shall establish reasonable deadlines for the phasing in of electronic transmittal of claims from...[designated] health care practitioners.” See §19-1508(6). HCACC is further charged with seeking to obtain its medical data through such electronic claims processing and is specifically empowered to do so. See §§19-1508(a)(1), (a)(5) and (b), as amended. Electronic claims transmittal is by definition “on line” and will necessarily involve transmission of, and accessibility to, massive amounts of diagnostic and treatment information about Maryland citizens by computer over telephone lines.”
What are electronic claims clearinghouses, and what oversight is the State providing those organizations?
HCACC: “Electronic claims clearinghouses (“ECCs” and sometimes referred to as electronic health networks or “EHNs”) are private sector organizations that facilitate the electronic submission of claims information to third party payers. These organizations have developed over the last several years as a means to lower the administrative cost of health care by providing physicians and other health practitioners with a single source through which they may submit their claims information to third party payers. The HCACC’s enabling statute requires the Commission to regulate these entities. The HCACC has proposed regulations that would establish standards for ECCs to become certified in Maryland. The proposed regulations will use national accreditation standards plus stringent State regulations on confidentiality to help impose additional controls on these organizations. Although the HCACC has the authority to require providers and payers to submit claims information electronically, the Commission has instead opted for a voluntary approach in which providers can choose to submit their claims to payers electronically. The HCACC’s role is to set standards for these private sector organizations to follow. At the same time, the HCACC has begun an Electronic Data Interchange initiative that will help encourage the adoption of electronic claims submission.”
MPS: “MPS is pleased that HCACC will currently allow providers who are concerned about risks to confidentiality to continue to use traditional billing and reimbursement methods. We are aware, however, that HCACC’s decision to encourage but not mandate electronic claim submission by health care providers can be reversed at any time. Ideally, this statutory authority should be removed.”
What about information on self-paying patients?
HCACC: “The HCACC is not collecting any self-pay data at this time, and it has made no decision to collect such information in the future. As stated above, for the foreseeable future, the information is being collected from third party payers and not directly from practitioners. In order to more fully address issues of privacy and confidentiality, the HCACC appointed a 16 member advisory committee on privacy and confidentiality. In a very close preliminary vote, that group tentatively decided to include information from self-paying patients at some point in the future. However, the group also agreed that the issue will be re-examined, in the context of other decisions that the advisory group, will reach over the next year. Furthermore, once the work group has completed its recommendations to the Commission, the Commission must still decide to accept, reject, or modify the recommendations. Much work still needs to be done in this entire area, including the question of who would pay for the collection of the self-pay data.”
MPS: “HCACC has thus far shown no inclination to exclude from its proposed data base patients who are sufficiently concerned about privacy that they forgo submitting insurance claims and pay out of pocket. Its enabling statute granted HCACC the authority to collect such information for all patient encounters, including for self-payers. We believe that grant of authority should be reviewed and changed. If such collection were undertaken, it would seriously deter patients concerned about privacy from seeking treatment. Preserving the right of Maryland citizens to opt out of the data base through self-payment of medical costs is too important to leave to administrative discretion or to future administrative curtailment, even if initially permitted by HCACC during this start-up phase of the data base.”
MPS Conclusions
While other broad statutory limitations on the data base also are necessary to protect the rights of all Maryland citizens, preserving the self-pay option is one among many measures that the General Assembly should implement to restrict the threat posed to patient privacy and delivery of quality health care. As important as it is, preserving privacy of self-paid medical treatment is not enough. All citizens of Maryland must have a fully-informed choice about whether information they agree can be submitted to an insurer for claim purposes should subsequently be given to the State for inclusion indefinitely in the HCACC data base. Corrective legislation is urgently required now prior to further implementation of this unprecedented, centralized patient-information registry.