Public Comments: July 2007 – WPF requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA
The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.
or Read comments below
Comments of the World Privacy Forum regarding National Disaster Medical System (NDMS) Patient Treatment and Tracking Records System to:NDMS Chief Medical Officer,
National Disaster Medical System
330 Independence Avenue, SW., Room G–644,
Washington, DC 20201.
July 23, 2007
Via electronic submission and email
The World Privacy Forum is pleased to have this opportunity to offer comments in response to the publication in the June 26, 2007, Federal Register (72 FR 35052) of a notice of a new system of records called The National Disaster Medical System (NDMS) Patient Treatment and Tracking Records System, System Number 09–90–0040.
The World Privacy Forum is a non-partisan, non-profit public interest research organization. Our focus is on conducting in-depth research and analysis of privacy issues, including issues related to health care.
We have no basic objection to the creation of this system of records or to the requested waiver of the review period. However, the system notice raises questions that the supplementary information does not answer. We are not convinced that the proposed system is the best way to organize the records involved to accomplish the objectives of the Privacy Act of 1974.
I. Does this system contain information subject to the HIPAA privacy and security rules?
It is difficult to answer this question from the information provided. It seems possible that some health treatment provided during a disaster may not be subject to any reimbursement and may therefore not be covered by HIPAA. However, given the scope and purpose of the system with respect to health treatment and health information about individuals, it seems highly unlikely that the system could contain only health information that falls outside of HIPAA. The information provided by the Department in the system notice is insufficient to allow the public to make any positive determination, and this is most unfortunate. We are left to file comments based on guesswork.
The mixing of HIPAA and non-HIPAA information in the same system of records presents some administrative problems. We do not insist that these two categories of health records always be maintained in separate systems, but the system notice itself requires more specificity if the records are to be mixed. For example, the routine uses covering disclosure to a Member of
Congress and to family members do not work as written for HIPAA records. Congressional disclosure of a HIPAA record requires a written authorization. Disclosure to a family member is permitted under HIPAA, but there are more limits than the routine use reflects. Some of the disclosures allowed by the other routine uses for administrative purposes should be written differently for HIPAA records than for non-HIPAA records to reflect the procedures and limitations that HIPAA imposes on disclosures.
In our view, it is improper to propose a routine use authorizing an illegal disclosure. It is not enough to assume that the authority in the routine uses will not be exercised in a manner that violates the law. Not only does the publication of an unqualified or overbroad routine use mislead the public, but it may have the effect of creating confusion among those who operate the system. One result could be unintentional violations of the law together with potential liabilities for the Department.
We cannot understand why HHS might choose to apply different disclosure standards to records in the system based on the applicability of HIPAA. HHS promulgated the HIPAA standards as appropriate policy to protect the privacy and security of health records. We see no justification for adopting weaker protections for personal health information in the system that happens to fall outside of HIPAA. It would have been a better choice for HHS to write routine uses that include all HIPAA restrictions and to apply those restrictions voluntarily to all health records in this system, regardless of HIPAA applicability. The result would be less confusion, more uniform protections for patients, and a simpler system notice. The current notice is simple, but that is because it leaves out too much important information and does not properly qualify the routine uses to reflect the law.
We observe as well that there are many categories of disclosures permitted by HIPAA that are not reflected in the routine uses. We cannot determine if HHS intends to restrict disclosures from this system to a subset of allowable HIPAA disclosures or if the absence of the HIPAA disclosures is an oversight. Either way, the legal effect will be the same, and some routine disclosures of health information for public health, research, and other purposes will not be permissible.
II. The mixing of health information and non-health information in the same system is a mistake.
It is apparent that some information in the system is not and cannot be HIPAA information. Information about animals and animal owners does not normally fall within the scope of HIPAA, although the information on owners falls squarely under the Privacy Act of 1974. We question whether it is appropriate to include non-health information in the same system of records as health information about individuals.
One problem here has to do with routine uses. Those routine uses that are suitable for HIPAA information are not suitable for non-health information. As a legal and policy matter, broader disclosures may be permissible for non-health records. Mixing of these records in a single Privacy Act system crosses too many wires to be administratively feasible and, perhaps, legally feasible as well.
We observe that it does not matter how the data is stored in this system as presently defined. A system of records is a logical concept and does not have to reflect the physical storage of information. The health information and the non-health information can reside in the same computer system and be subject to different system notices.
A second problem here is that while animal and animal ownership information may normally be outside the scope of HIPAA, it can become protected health information subject to HIPAA if it is intermingled with health treatment information about the animal’s owner. We foresee it as likely that the system will include some animal and owner information about individuals who have personal health records as well as about individuals who have no personal health records in the system.
We see the possibility that this system of records will contain the following categories of information:
- HIPAA information on individuals
- Non-HIPAA health information on individuals
- Animal information about individuals who have HIPAA information in the system
- Animal information about individuals who have non-HIPAA health information in the msystem
- Animal information about individuals who are not the subject of any health information.
We are not prepared to argue that it is legally improper to have all of these categories of information in the same system of records. However, we cannot see a good reason to do so. It will produce an administrative nightmare that no one will understand how to manage. The problems will only be compounded by the multiple agencies that will use and provide information to the system. A single system with so many differently regulated records and used by so many different agencies is likely to eventually result in a privacy disaster.
We understand the reason for establishing this system immediately. We think, however, that HHS and the public would be better served if the Department would:
1. Divide the system so that all health data is in one system and animal information is in another system. Some animal information may end up in the health system, but that should not present a problem because it will constitute health data there. The animal information system would not have to be subject to HIPAA security requirements.
2. Treat all information in the health system as if it were HIPAA information for purposes of defining routine uses. That would allow only one set of HIPAA-aware routine uses. All health information would be subject to the same HIPAA security requirements.
Giving the pressure of time, HHS can reasonably proceed with the proposed system, perhaps with some quickly revised routine uses and with a clearer explanation. In the near future, HHS can and should publish new system notices as we have suggested. It should not take long to disentangle these records into more suitable systems of records.
Thank you for the opportunity to comment on the Department’s proposed system of records.
World Privacy Forum