The Death of Medical Privacy

As I have read through the Patient Protection and Affordable Care Act of 2010 (PPACA, aka ObamaCare), I have been repeatedly struck by the disregard the law has for patient privacy. Time and time again, the PPACA authorizes the federal government to obtain information about patients directly from their health care providers. A particularly vivid example is Section 4302, "Understanding Health Disparities: Data Collection and Analysis." Section 4302 literally opens up almost every medical record in this country for government review and data collection. Let's go through the section with an eye towards patient privacy issues:

(1) IN GENERAL- The Secretary shall ensure that, by not later than 2 years after the date of enactment of this title, any federally conducted or supported health care or public health program, activity or survey (including Current Population Surveys and American Community Surveys conducted by the Bureau of Labor Statistics and the Bureau of the Census) collects and reports, to the extent practicable--

(A) data on race, ethnicity, sex, primary language, and disability status for applicants, recipients, or participants;

...

(D) any other demographic data as deemed appropriate by the Secretary regarding health disparities.

There is no pussyfooting around in this first portion of Section 4302. Within two years, the Secretary of Health and Human Services will be obtaining extensive health and demographic data about every patient who participates in federally supported programs or who interacts with a public health department. This would encompass every single patient who participates in Medicare, Medicaid, TRICARE, or the Supplemental Children's Health Insurance Program (SCHIP). It is also a good bet that data will be obtained from the Veterans' Administration, government employees' health insurance programs, and patients receiving medical care at local Boards of Health. Lastly, I suspect that various regulatory mechanisms will empower state and local Public Health Departments to collect this data on everyone.

It is worth noting that the description of data to be collected is quite broad. Aside from the laundry list of information to be collected, paragraph (D) authorizes the Secretary of HHS to obtain any additional information whatsoever if it fulfills the purpose of investigating health "disparities." Nowhere in this section is there an actual definition of "health disparities." As a result, one can begin to get a picture of the limitlessness of this mandate.

Next, Section 4302 describes where else the Secretary can turn for data collection and what other sorts of information the government is seeking:

(i) locations where individuals with disabilities access primary, acute (including intensive), and long-term care;

(ii) the number of providers with accessible facilities and equipment to meet the needs of the individuals with disabilities, including medical diagnostic equipment that meets the minimum technical criteria set forth in section 510 of the Rehabilitation Act of 1973; and

(iii) the number of employees of health care providers trained in disability awareness and patient care of individuals with disabilities; and

(E) require that any reporting requirement imposed for purposes of measuring quality under any ongoing or federally conducted or supported health care or public health program, activity, or survey includes requirements for the collection of data on individuals receiving health care items or services under such programs activities by race, ethnicity, sex, primary language, and disability status.

The authors of the law are letting us see a few of their cards. They are clearly looking to use the collected data to support mandates relating to "disability training and patient care of individuals with disabilities." I also believe that the last sentence means that we may see attempts to mandate foreign language translation capabilities in even the smallest of physician offices -- something that has popped up intermittently in other parts of this law.

Who will have access to all of this information? The answer is chilling:

(1) IN GENERAL- The Secretary shall make the analyses described in (b) available to--

(A) the Office of Minority Health;

(B) the National Center on Minority Health and Health Disparities;

(C) the Agency for Healthcare Research and Quality;

(D) the Centers for Disease Control and Prevention;

(E) the Centers for Medicare & Medicaid Services;

(F) the Indian Health Service and epidemiology centers funded under the Indian Health Care Improvement Act;

(G) the Office of Rural health;

(H) other agencies within the Department of Health and Human Services; and

(I) other entities as determined appropriate by the Secretary.

(2) REPORTING OF DATA- The Secretary shall report data and analyses described in (a) and (b) through--

(A) public postings on the Internet websites of the Department of Health and Human Services; and

(B) any other reporting or dissemination mechanisms determined appropriate by the Secretary.

Everyone -- including the public via the internet -- will have access to the analyses. Two paragraphs later, the law authorizes the Secretary to "make data ... available for additional research, analyses, and dissemination to other Federal agencies, non-governmental entities, and the public. ..." [Emphasis added.] As a result, not only will the analyses be made available, but so will the raw data.

Towards the end of Section 4302, the law addresses patient privacy issues:

(1) PRIVACY AND OTHER SAFEGUARDS- The Secretary shall ensure (through the promulgation of regulations or otherwise) that--

(A) all data collected pursuant to subsection (a) is protected--

(i) under privacy protections that are at least as broad as those that the Secretary applies to other health data under the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033); and

(ii) from all inappropriate internal use by any entity that collects, stores, or receives the data, including use of such data in determinations of eligibility (or continued eligibility) in health plans, and from other inappropriate uses, as defined by the Secretary; and

(B) all appropriate information security safeguards are used in the collection, analysis, and sharing of data collected pursuant to subsection (a).

I'm not sure if the authors of this section understood what they have written. There is simply too much water under the bridge for Americans to believe that the federal government will be competent at the task of protecting such huge amounts of private information. Furthermore, there is no provision made for requesting patient consent for data collection. As an individual American, you will neither be asked for your consent nor even be notified when your health care information is assimilated by the Department of Health and Human Services. Finally, none of this deals with one of my primary privacy concerns as a physician -- to keep medical information private from the government itself.

The bottom line is that as a result of Section 4302 of the PPACA, The Department of Health and Human Services is now required to extensively and invasively collect personal medical information and widely distribute it in various forms including in its raw state. It is impossible to believe that the confidential nature of the doctor-patient relationship can survive in this new environment.

I have one last question. Will the Secretary be gathering information on reproductive health?

Dr. Arie Friedman, M.D. is a general pediatrician and medical practice owner in Northern Illinois.
As I have read through the Patient Protection and Affordable Care Act of 2010 (PPACA, aka ObamaCare), I have been repeatedly struck by the disregard the law has for patient privacy. Time and time again, the PPACA authorizes the federal government to obtain information about patients directly from their health care providers. A particularly vivid example is Section 4302, "Understanding Health Disparities: Data Collection and Analysis." Section 4302 literally opens up almost every medical record in this country for government review and data collection. Let's go through the section with an eye towards patient privacy issues:

(1) IN GENERAL- The Secretary shall ensure that, by not later than 2 years after the date of enactment of this title, any federally conducted or supported health care or public health program, activity or survey (including Current Population Surveys and American Community Surveys conducted by the Bureau of Labor Statistics and the Bureau of the Census) collects and reports, to the extent practicable--

(A) data on race, ethnicity, sex, primary language, and disability status for applicants, recipients, or participants;

...

(D) any other demographic data as deemed appropriate by the Secretary regarding health disparities.

There is no pussyfooting around in this first portion of Section 4302. Within two years, the Secretary of Health and Human Services will be obtaining extensive health and demographic data about every patient who participates in federally supported programs or who interacts with a public health department. This would encompass every single patient who participates in Medicare, Medicaid, TRICARE, or the Supplemental Children's Health Insurance Program (SCHIP). It is also a good bet that data will be obtained from the Veterans' Administration, government employees' health insurance programs, and patients receiving medical care at local Boards of Health. Lastly, I suspect that various regulatory mechanisms will empower state and local Public Health Departments to collect this data on everyone.

It is worth noting that the description of data to be collected is quite broad. Aside from the laundry list of information to be collected, paragraph (D) authorizes the Secretary of HHS to obtain any additional information whatsoever if it fulfills the purpose of investigating health "disparities." Nowhere in this section is there an actual definition of "health disparities." As a result, one can begin to get a picture of the limitlessness of this mandate.

Next, Section 4302 describes where else the Secretary can turn for data collection and what other sorts of information the government is seeking:

(i) locations where individuals with disabilities access primary, acute (including intensive), and long-term care;

(ii) the number of providers with accessible facilities and equipment to meet the needs of the individuals with disabilities, including medical diagnostic equipment that meets the minimum technical criteria set forth in section 510 of the Rehabilitation Act of 1973; and

(iii) the number of employees of health care providers trained in disability awareness and patient care of individuals with disabilities; and

(E) require that any reporting requirement imposed for purposes of measuring quality under any ongoing or federally conducted or supported health care or public health program, activity, or survey includes requirements for the collection of data on individuals receiving health care items or services under such programs activities by race, ethnicity, sex, primary language, and disability status.

The authors of the law are letting us see a few of their cards. They are clearly looking to use the collected data to support mandates relating to "disability training and patient care of individuals with disabilities." I also believe that the last sentence means that we may see attempts to mandate foreign language translation capabilities in even the smallest of physician offices -- something that has popped up intermittently in other parts of this law.

Who will have access to all of this information? The answer is chilling:

(1) IN GENERAL- The Secretary shall make the analyses described in (b) available to--

(A) the Office of Minority Health;

(B) the National Center on Minority Health and Health Disparities;

(C) the Agency for Healthcare Research and Quality;

(D) the Centers for Disease Control and Prevention;

(E) the Centers for Medicare & Medicaid Services;

(F) the Indian Health Service and epidemiology centers funded under the Indian Health Care Improvement Act;

(G) the Office of Rural health;

(H) other agencies within the Department of Health and Human Services; and

(I) other entities as determined appropriate by the Secretary.

(2) REPORTING OF DATA- The Secretary shall report data and analyses described in (a) and (b) through--

(A) public postings on the Internet websites of the Department of Health and Human Services; and

(B) any other reporting or dissemination mechanisms determined appropriate by the Secretary.

Everyone -- including the public via the internet -- will have access to the analyses. Two paragraphs later, the law authorizes the Secretary to "make data ... available for additional research, analyses, and dissemination to other Federal agencies, non-governmental entities, and the public. ..." [Emphasis added.] As a result, not only will the analyses be made available, but so will the raw data.

Towards the end of Section 4302, the law addresses patient privacy issues:

(1) PRIVACY AND OTHER SAFEGUARDS- The Secretary shall ensure (through the promulgation of regulations or otherwise) that--

(A) all data collected pursuant to subsection (a) is protected--

(i) under privacy protections that are at least as broad as those that the Secretary applies to other health data under the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033); and

(ii) from all inappropriate internal use by any entity that collects, stores, or receives the data, including use of such data in determinations of eligibility (or continued eligibility) in health plans, and from other inappropriate uses, as defined by the Secretary; and

(B) all appropriate information security safeguards are used in the collection, analysis, and sharing of data collected pursuant to subsection (a).

I'm not sure if the authors of this section understood what they have written. There is simply too much water under the bridge for Americans to believe that the federal government will be competent at the task of protecting such huge amounts of private information. Furthermore, there is no provision made for requesting patient consent for data collection. As an individual American, you will neither be asked for your consent nor even be notified when your health care information is assimilated by the Department of Health and Human Services. Finally, none of this deals with one of my primary privacy concerns as a physician -- to keep medical information private from the government itself.

The bottom line is that as a result of Section 4302 of the PPACA, The Department of Health and Human Services is now required to extensively and invasively collect personal medical information and widely distribute it in various forms including in its raw state. It is impossible to believe that the confidential nature of the doctor-patient relationship can survive in this new environment.

I have one last question. Will the Secretary be gathering information on reproductive health?

Dr. Arie Friedman, M.D. is a general pediatrician and medical practice owner in Northern Illinois.