INTRODUCTION
Robert E. Moffit, Ph.D.

While Congress has been engaged in a heated debate over managed care reform and the media have reported another increase in the number of Americans without health insurance, a crucial health-policy issue is being neglected: the privacy of personal medical records. Earlier this year, the Health Care Financing Administration (HCFA), the regulatory agency that runs the Medicare program, proposed a rule to force almost 10,000 home health-care agencies around the country to report sensitive personal information on patients and to transmit this information to a federal database and, eventually, to state databases. Under the proposed rule, this would take place without the patient's knowledge and fully informed consent.

Under the rule, officials of home health agencies contracting with Medicare would be compelled to report sensitive, personal information ranging from the patient's history, personal characteristics, race, ethnicity, living conditions, and financial and behavioral profiles. But HCFA's intrusion would not stop there. The detailed record includes inquiries into whether patients expressed "depressive" feelings, a "sense of failure," "thoughts of suicide," or had used excessive profanity or made "sexual references." Remarkably, this Medicare data-collection program (called the Outcome Assessment and Information Set, or OASIS) would not be confined to Medicare patients, but would include patients not even being treated on the Medicare program seeking home health services, even though no Medicare payment was being sought or made.

Backing Off. Collection of personal data already had commenced, but in April, media attention and adverse publicity led officials at HCFA to back off on enforcing their initial rule. On June 18, HCFA published another version of the data-collection rule for home health agencies. With one exception, said officials, HCFA would continue to use all of the questions it originally proposed. It would continue to require the collection of information on non-Medicare patients, but it would not transmit information on those patients until an encryption system was developed to mask "patient-identifiable" data. HCFA officials said that they expect such a system to be developed by the spring of 2000. HCFA also restated its intention to collect personal information on Medicare patients for transmission to the federal database. In response to privacy concerns, HCFA said that it would provide Medicare patients "notice" that this information was being collected and transmitted, but this is far short of seeking a patient's voluntary and informed consent. Under the revised rule, the collection resumed on July 19. Then, one day later, the General Accounting Office (GAO) issued a general report on Medicare's confidentiality procedures that was sharply critical. The GAO uncovered significant weaknesses in the current Medicare system that could enable unauthorized individuals to have access to confidential information. Meanwhile, the Congress has not yet intervened to enact any law to safeguard the privacy of Medicare patients or to prevent future intrusions into their privacy.

A Larger Debate. The HCFA Medicare database issue is part of a larger debate. Under the Health Insurance Portability and Accountability Act of 1996, Congress authorized the establishment of a "unique patient identifier," a provision originally included in the Clinton Administration's massive and unsuccessful Health Security Act of 1993. Under the terms of the 1996 law, Congress was supposed to have enacted legislation to protect the privacy of medical records by August 1999. Congress failed to meet that deadline. The 1996 law therefore authorizes the Secretary of Health and Human Services to protect medical confidentiality through regulation. This, however, is not necessarily a comforting prospect. HCFA, after all, is part of the Department of Health and Human Services. It is not clear how much the Secretary would be willing to rein in HCFA's excesses. And experience shows that "intrusive" is almost a synonym for federal regulation.

So that is where the medical privacy issue stands today. Last May, at a Heritage Foundation symposium, a panel of distinguished experts explained how the issue of HCFA's intrusions into patient privacy in the Medicare program is of necessity part of a much larger question about the privacy of Americans' most sensitive information. This is an issue that Congress and the Administration need urgently to address.

Robert E. Moffit, Ph.D., is Director of Domestic Policy Studies at The Heritage Foundation.

HOW PATIENTS ARE BEING STRIPPED OF THEIR PRIVACY
Paul Appelbaum, M.D.

By the time we are done here today, I think you will all conclude that threats to our health care privacy are both real and imminent. Unfortunately, both the public at large and Congress are oblivious to their nature and extent.

HCFA's Outcome and Assessment Information Set (OASIS) is one example that we'll be examining closely. I think it is important for all of us to recognize that OASIS is just part of a broader pattern of assaults on health-care privacy, including congressional authorization of a national unique patient identifier for every American. One number for every person, from sperm to worm, as they say, that would track all of our medical-care contacts for ever and ever. While that patient identifier is temporarily on hold, it still lurks out there, having already been authorized by Congress.

Much of the current legislation before Congress would deprive patients of control of the dissemination of information from their health-care records. It constitutes an abrogation of patients' traditional rights.

Before looking more closely at the Medicare OASIS program, we should ask why these systematic threats to medical privacy are occurring now. There are several reasons. First, we have the computer technology that makes it possible to aggregate nearly infinite amounts of data about all of us. Second, we have a concern with costs and a misleading belief that, if only we could track every patient's care, we could control our health care costs. That concern drives those who pay for care, including the federal government, which pays for a staggering percentage of health care in this country. Those who pay for health care are collecting ever-increasing amounts of data and they are utilizing that advanced computer-based technology to do so.

Once collected, that information becomes an irresistible target for all those who seek some advantage from access to medical record information, whether they are marketers for pharmaceutical companies, regulators in federal agencies, law enforcement personnel, or researchers. That is part of the dynamic driving HCFA's OASIS program

What Oasis Is. If "oasis" evokes an image for you of palm trees gently swaying in the breeze and pools of cool water in an otherwise parched desert, that image is a mirage.

The OASIS we are talking about--the Outcome and Assessment Information Set--is a 79-item questionnaire designed to be completed by home health-care agencies on all their patients. It was commissioned by HCFA and developed by a research center in Denver.

HCFA has now issued regulations--temporarily in abeyance--that would require every home health agency to fill out an OASIS questionnaire every time a person enters or leaves the care of an agency, even if just going into a hospital and coming out again, 60 days after entry to care.

Much of the information collected by OASIS is highly personal. For example, whether a person has urinary or bowel incontinence and, if so, how often. A person's financial status, whether they are alcohol or drug dependent, the frequency with which they experience anxiety, the sense of failure or self reproach that they may feel, whether they're indecisive or suffer a lack concentration, or whether they sprinkle their conversation with sexual references. Some of this information may be useful to home health agencies in planning a person's care--although I must wonder about other aspects of it.

Our concern is less that agencies would be required to collect that information than what they would be asked to do with it. HCFA regulations would require the agencies to transmit the information to HCFA in identifiable form, that is, with a name or other identifier attached.

Now the federal government will know whether you display "socially inappropriate behavior" in your home, have rodents in your house, or have attempted suicide--all questions that are included in the OASIS database.

What possible justification could HCFA have for wanting this information? HCFA now offers two, although they change, they mutate over time. OASIS, officials claimed, will help HCFA monitor the quality of care that patients receive. Also, OASIS will provide a basis for HCFA to develop a prospective payment system, that is, a fixed-payment-per-case method for home health care.

HCFA's Excuses. These justifications just don't stand up to close scrutiny. The random OASIS data will not help HCFA monitor quality of care because the database doesn't provide the right information for the task. OASIS details patients' current condition, but not what is being done to treat them. Nor does OASIS measure the efficacy of that care, and those are the crucial data if you are focusing on quality.

Moreover, it defies belief that HCFA intends to assess the quality of care--even assuming OASIS could do it for them--for every patient receiving federally funded home health care. This is a task best done at the agency level, the agency that is providing the care. HCFA does not need OASIS to monitor quality.

Nor are these data needed in the way they are proposed to be collected--that is, indefinitely--on every patient in home health-care treatment, to develop a prospective payment system. Only a sample of patients need to be examined in order to develop a payment methodology, as long as the patient's specific information and billing information, that is, a detail of the services rendered, can be linked.

HCFA officials don't need to know who these people are. They don't need the identifiers. They could, in fact, hire a contractor to provide an identified sample of appropriate data for their use in developing payment methodology, just like they hired a contractor to develop OASIS in the first place. There is no reason why this huge amount of identifiable data needs to reside in federal government computers.

OASIS is an example of the current government approach to medical privacy. It is based on two assumptions: First, more information is always better than less, and second, the patient's interest in privacy is so insubstantial that it can be overridden on the flimsiest of pretexts.

A similar attitude is evident in the leading medical records information proposals now in the Senate, and more recently in the House.

Consider the bill introduced by Senator James Jeffords (R-VT). Under this proposed legislation, patients would be stripped, as a condition of receiving insurance and treatment, of their traditional control of information in their records for treatment. States would be stripped of their traditional power to regulate medical-records privacy, which would be preempted by the federal government. No special protection would be afforded especially sensitive medical information, such as psychiatric records, sexually transmitted diseases, pregnancy, abortion, and the like.

The message, I think, is clear. America needs to watch out. Americans need to be on the alert. Because the Medicare OASIS program is just the beginning.

Paul Appelbaum, M.D., is distinguished professor of psychiatry and the director of the Law and Psychiatry program at the University of Massachusetts Medical School. Dr. Appelbaum is vice president of the American Psychiatric Association. He is the past president of the American Academy of Psychiatry and the Law, and past president of the Massachusetts Psychiatric Society.

LESSONS FROM THE KENTUCKY HEALTH PLAN
Kent Masterson Brown

We have a principle that has constitutional underpinnings. It is that informational privacy in one's medical care is a right. Yet, when you look at the picture of medical records in this country, there are so many individual institutions--both government and private--that seek medical records, the exceptions literally obliterate the rule.

Let me call your attention to a recent book review in The University of California Law Review. The subject was a new treatise on medical-records privacy. The review began with the basic postulate that there is a constitutional right to privacy. Yet, the remaining 600 pages of the book discuss all the exceptions. Finally, the book reviewer just said, "Privacy is dead; hurray for privacy!" And that's pretty much the way it is: "Hurray for privacy," but it seems dead.

With respect to OASIS in the Medicare program, I see three basic problems.

First, it invades an individual's private domain, the most private of all. It seeks more information than the government could possibly find necessary. Why do they need to know whether or not there are visible fire alarms on the wall? There is no need. If they are looking for a means by which they can develop a prospective payment system, why does it need to be person-specific?

Second, at least under the initial or proposed Medicare rule, HCFA invades the privacy of people for whom the federal government pays nothing. The home health agency is required to collect this data on everybody as a condition of participation in Medicare. Why?

Third, once the information is collected by the government, it is controlled by the government. What happens to it? Where does it go?

That is the crucial question. If you went before a federal district judge, and there was a record-production statute that had a confidentiality requirement making it a criminal violation to divulge that information, the judge would say, well, that's probably constitutional. You'd walk away and say, okay, fine.

But even if it is a criminal violation for someone to divulge information that is patient-specific, that does not give me a high degree of confidence. Let me tell you why.

Back during the big health care reform debate in 1993 and 1994, a lot of states were developing their own health care reform bills very much like the Clinton Health Security Act. I was in that mix, because I was suing the Clinton Administration over the disclosure of the records of the Administration's Health Care Task Force. In order to get those meetings open to the public, we had to prove that the people who formed the task force were not all full-time government employees. We found that to be true, and we did it by identifying several people on that task force who were listed as health policy fellows. It was brought to our attention that a major private foundation in this country has a health policy fellowship program. This opened up the records, because now we had a task force, an interdepartmental working group, that was not composed entirely of full-time officers or employees of the federal government.

At the same time, we found that this private foundation was giving money to the states to enact health care reform bills, much like the Clinton plan. My home state of Kentucky was one of them. So, I asked, under an open records request, for information on that foundation. Indeed, they had actually given money to the state of Kentucky to see this Clinton-style proposal implemented.

The Kentucky Health Plan. I say all this because Kentucky, with that bill, enacted the most sweeping health-care data requirement it has ever had. It was a mirror of the Clinton plan. It was also a mirror what was taking place in other states.

The Kentucky Health Plan set up a health-data commission, a health-policy board. It collected data on everybody, even though the state government did not pay a dime for that health care. It required every physician to file the equivalent of a HCFA 1500 Claim Form on every patient: name, address, Social Security number, what they did, what the diagnosis was, what the treatment was--all of that. It also made it a criminal offense for anyone in government to divulge that information. Sounded fine.

Well, in Kentucky, I filed an action challenging the constitutionality of that statute for the reason, among others, that this statute was enacted because private money was given to the government to create the Kentucky Plan, and then private money came in to implement that plan.

Please understand. I am not saying this private foundation that supplied funding ever got one piece of information here. But I am saying that this sort of arrangement created a door for information of a sensitive nature to flow in and flow out.

In the case, we rescued, from among the volumes of relevant information, a document that the governor of Kentucky had signed. Consider this. The bill creating the Kentucky Health Plan was passed on April 14, 1994. On April 28, the governor of Kentucky entered into an agreement with this private foundation. The purpose of this grant is to assist with the implementation of House Bill 250, the Kentucky Health Reform Bill, including the data component. As one of the conditions of receiving the money, the foundation received a specific grant of authority from the state of Kentucky. I'll read it to you: "(8) The grantee," meaning Kentucky, "hereby grants to the foundation a nonexclusive, irrevocable, perpetual royalty free license to use, and licenses others to use any and all data collected in connection with the grant, in any and all forms in which the data is affixed." Now, again, I have no idea if any data were transmitted, but does that agreement bother you? It bothered me.

With respect to Medicare's OASIS Program, I went through the regulations that the government proposed on January 25, 1999. I found that they have an HCFA-OASIS contractor. The contractor is getting this information--the information that's creating the data set. That contractor is the University of Colorado Health Sciences Center, Center for Health Services and Policy Research. Then, I tried to find out, just out of the blue, if this same private foundation is funding that center. So I went to the foundation's annual report of 1997, which lists all of its grants. In 1997, the year ending December 31, here's what's listed: "University of Colorado Health Sciences Center, Denver, Colorado, a grant in the amount of $1,425,423, for assisting home care providers in using patient outcome data to improve care for four years." They entered into the identical agreement that the governor of Kentucky did with paragraph 8 of the Kentucky agreement. It's the standard form agreement.

Now I ask you, is that data confidential? Who is to get the data? Is it the private agency that is financing the assembly of it at the University of Colorado? So who gets it? I have no idea.

All I know, is that the barn door seems wide open. That's the problem. What is government to do with it? Where is it going to go? That question alone illustrates the gravity of the problem.

Kent Masterson Brown is counselor to the United Seniors Association. Practicing in Danville, Kentucky, and Washington, D.C., Mr. Brown specializes in health-care law, with an emphasis on constitutional law. Mr. Brown represented the Association of American Physicians and Surgeons in its suit against the Clinton Administration to force public disclosure of the content and composition of the 1993 Health Care Task Force run by Hillary Clinton.

MORE PAPERWORK, LESS CHOICE
Jim Pyles

Our firm had been working on the OASIS issue for months. We brought the privacy concerns to the attention of HCFA officials in August 1998, and again in September and December of that year.

I contacted the folks at HCFA and told them that this was not only bad policy, but it looked like it had the makings of a real political backlash. I suggested that they really ought to sit down and chat with us about it.

I met with them in January and again in February of this year. The latest meeting was on February 25, the day after the initial collection requirement went into effect.

Bureaucratic Insensitivity. The concerns of the individuals and the patients were of no relevance to HCFA at all. I told them that study after study had shown that, when mental health information is forced to be disclosed, the patients simply don't disclose the information any more.

As Dr. Appelbaum said, this OASIS data collection included patient information with respect to whether they were depressed, had feelings of hopelessness, feelings of suicide, and all of it compelled to be disclosed to the federal government and the states in a fully identifiable form. And it was to remain on file for a period of three years.

I pointed out to HCFA that the private home-health agencies would have to tell both Medicare and non-Medicare patients: "If you tell me you're depressed, I'm going have to report that to the federal government. If you tell me you live alone, I'm going to have to report that to the federal government and to the state government."

Those of us who have worked around the psychiatric community know that patients will never make those statements any more, and those are the very statements that are necessary for diagnosis and treatment.

The thing that the folks at HCFA failed to understand, it seems to me, are the same things that Members of Congress now are failing to understand: that privacy is an essential element of quality care. It is indispensable.

This issue of what to do about privacy standards did not fall on us this year out of the sky. Profound thinking has gone into this issue. A lot of it has been summarized in a 1996 United States Supreme Court decision in the case of Jaffee v. Redmond. In that case, the Supreme Court analyzed the question of whether psychotherapy communication should be kept private. The Justices did what Congress should be doing, but is not. They went back and analyzed the history of the issue. And their decision was a ringing defense of the principle of privacy. Let's be clear on an essential point. Every professional examination of the privacy issue has found that maintaining the privacy of mental-health communications is essential to effective mental-health therapy.

What is at stake here is clear: If we don't protect the privacy of individual patient information, particularly psychotherapy communications, we are going to lose effective psychotherapy in this country.

The United States Supreme Court clearly understood the stakes in the case. As the Supreme Court noted, privacy in these matters is not just an individual interest; it's also a public interest. There is no conflict here between individual and public interest. They are concurrent.

I recently testified before the Senate Special Committee on Aging. I had with me the OASIS data form with each page stapled end to end. I unrolled it, and you could hear gasps throughout the hearing room. It went from the hearing desk and banged into the back wall. The thing is over 30 feet long. It contains more than 450 data elements. And as Mr. Brown was noting, under the original rule it was to be filled out and completed on non-Medicare patients who get something as simple as a bed bath.

The research folks, one of the HCFA subcontractors, did research to find out how long it takes home health agencies to get this thing completed. It's anywhere from an additional hour to two hours, per patient, each time. The patients, not surprisingly, rebelled.

This data collection effort was actually in effect on February 25, until the Vice President compelled HCFA to pull it and do a privacy evaluation. In the meantime, however, we learned a lot. HCFA's view was that home health agencies would have to terminate services to any patient who didn't consent to the collection and reporting of this information. We found that the care givers, in order to preserve access to the necessary medical services, made up the entries. They just made them up.

It was another hassle factor. More paperwork was becoming a barrier to quality care because you couldn't have Medicare services unless you consented.

In addition, the very data that they were trying to collect was hopelessly corrupted, so it was eroding the quality of health care in two ways. First, it was preventing patients from getting access to the care. Second it was generating data that HCFA was planning on using for future development of a perspective payment system for home care, and that, in turn, would be helplessly flawed.

OASIS is a real warning shot. Americans need to wake up and understand that privacy is not just a personal preference. It is really a medical necessity. That was the conclusion of The Los Angeles Times in a May 10 editorial on the subject. A recent California Health Care Foundation study found that, increasingly, patients will lie, and the physicians will not put down accurate information, in order to protect the patient's privacy.

Unless we protect privacy, unless Congress protects the privacy of medical information, we are going to fundamentally alter the way in which health care is delivered in this country. And it is going to be altered for the worse. Patients will simply forgo getting the care. They won't provide accurate information. The medical practitioners will not put it down, or they'll put it down in a skewed manner so it protects the patient's privacy.

Patient privacy is very much like personal self-defense. It's a fundamental drive. People will do whatever it takes to protect themselves and their family. If you try to violate someone's privacy, if you take their privacy away from them, they will do whatever it takes to preserve it.

The United States of America was founded on the need to protect your individual privacy and to keep the government out of your personal life, unless you violate the law. We have an expectation of that in this country.

Under Medicare's OASIS program, we have seen nurses being compelled to go into people's homes and obtain information that was not necessary for their diagnosis and treatment, but deemed necessary for a governmental program. These nurses are, in effect, federal agents going into homes, where you think that people would have a right to privacy, and according them less protection than an accused criminal would have. Their only crime was being sick.

As I pointed out to the Senate Special Committee on Aging, being sick in this country should not be treated as a crime. We should make sure patients have the basic personal protections they need and expect.

One last point. I hear this a lot: that insurance companies have access to a lot of your personal information anyway, hospitals do, doctors do, and even HCFA has access to a lot of home health information on an individual basis. So, why should we be worried now that Congress may allow this information to be collected for health-care operations? Well, it is one thing to have this kind of information passed to an insurance company or the government, on an ad hoc basis, but it is quite another to have your government establish a new standard that compels the reporting of this information routinely. That, in my view, will undermine the confidence of the public in the health care delivery system.

That is what is at stake in the congressional legislation that is currently under consideration. It was clearly a mistake in Medicare's OASIS program.

Jim Pyles is attorney for the American Psychoanalytic Association and a founding member of the law firm of Powers, Pyles, Sutter & Verville in Washington, D.C. He has specialized in health-care law, both in the federal government and in private practice, for nearly thirty years.

GETTING THE LEGISLATIVE PROCESS BACK ON TRACK
Ronald Weich

I want to commend the Heritage Foundation for holding this very timely and important forum. This issue is really at the center of the congressional agenda, and I appreciate the opportunity to come and talk about the ACLU's perspective on this.

There are some who might find it amusing or ironic that a representative of the ACLU would be at a Heritage Foundation forum. The Heritage Foundation is on the right of the political spectrum, and the ACLU is often characterized as being on the left. People who follow issues of privacy and constitutional law and civil liberties know that it's not really a spectrum, but a circle. On the left and on the right, very sensible people get together to defend the constitutional right to privacy and the inherent right to privacy that all human beings have.

That right to privacy is absolutely crucial in the health-care context. Trust is essential to quality health care. You go to a doctor, and you undress. You disrobe, and you expect that the conversation between you and your doctor and the information that the doctor learns about you from your comments and from the fluids that he draws from your body are to be kept private. That's information that's going to be strictly between you and that doctor.

There is a real question about whether there is a legal right to privacy or confidentiality in that encounter. Certainly, there is a common-law rule that speaks of a doctor-patient privilege, so that a doctor could not take the witness stand in a criminal or civil case and testify about that encounter or reveal the records without the patient's permission. There is also a Fourth Amendment right in our personal effects, our papers.

For different reasons, those traditional protections of privacy are increasingly ineffective. The common law privilege is between a doctor and a patient. But who has our records these days? It's not just "Marcus Welby, M.D.," the wise and kindly family physician portrayed in the old television series. It's the insurance company that reimburses "Dr. Welby" for his services. It's the pharmaceutical company that fills the prescription. It's the managed-care company that looks over his shoulder to see whether he is providing care in an efficient manner.

The records of our medical encounters with doctors are spreading far beyond the doctor's office. Of course, that is the result of technology, which is very beneficial to the health care system. It allows for the transmission of health research and health information and that, too, dramatically improves the quality of care.

No one on this panel is suggesting that we go back to paper and pencil records. Electronic communications and electronic record-keeping can enhance quality health care. But technology also presents significant challenges to privacy. There are so many entities now involved in the health care system that these records can be transmitted to those entities virtually at will, at the click of a computer mouse. That presents a challenge that overwhelms the common-law privilege between a doctor and a patient.

Constitutional Protections. What about the Fourth Amendment? Does that help? If I have a set of X-rays in my desk drawer at home, the police cannot break down the door of my house and take those X-rays, right? We all would claim the Fourth Amendment protection against unreasonable searches and seizures.

What if my X-rays are kept in my doctor's office, or in the insurance company's office, or the managed care company's office? Does the Fourth Amendment protect my right to those records? No, because the law does not consistently recognize a patient's ownership interest in those records. In effect, the law views me as having abandoned the ownership interest when I left the doctor's office and left the X-ray there, or left the blood sample there, or left the records there that describe my encounter with the doctor.

In Fourth Amendment challenges to the seizure of medical records from a doctor's office or an insurance company's office, the Fourth Amendment has been held not to protect a patient's privacy interest in those records.

As a result, the ACLU strongly believes that we need a new federal law that establishes by statute a patient's ownership interest in his records, and a set of legal protections that guard against the invasion of privacy in those records.

Much has been said about Medicare's OASIS program. It has been well said, and I don't want to repeat it. Dr. Appelbaum said that OASIS is a symptom of a larger problem and a larger process. I would like to speak to this very briefly. In 1996, when Congress passed the Health Insurance Portability and Accountability Act, it included "administrative simplification" provisions that essentially permitted the freer flow of health information among various entities, including insurance companies, doctors, and managed-care companies.

Congress recognized at that time that administrative simplification and the computerization of medical records posed a threat to medical privacy. There were then efforts by some Members of Congress to include in that law detailed privacy protections. These efforts did not succeed. The reason: An agreement could not be reached among the Members of the Senate and the House who were working on that bill. So, Congress punted and said, "We will enact comprehensive medical privacy protections in law within three years, by 1999. But if we don't act by August of 1999, the Secretary of Health and Human Services will be empowered to establish such protections by regulation." So, if Congress doesn't act, Secretary Shalala is authorized to promulgate regulations.

Congressional Legislation. Three bills have emerged in the Senate. Senators Patrick Leahy (D-VT) and Edward Kennedy (D-MA) have introduced S. 573. Senators James Jeffords (R-VT) and Christopher Dodd (D-CT) have introduced S. 578. Senators Bennett and Mack have also introduced a bill. Those three bills offer different visions for privacy protections.

The Senate Health, Education, Labor and Pensions Committee scheduled a markup on a bill that was an amalgamation of the three. The Senators on that committee, under the direction of Chairman Jeffords, had worked to put together a consensus draft. It wasn't a consensus in the sense that everybody agreed to it. But Chairman Jeffords put it forward as the "Chairman's mark." That markup was canceled at the very last minute. But the Committee will again begin the process of considering this bill.

The ACLU has very deep concerns about the direction of this legislative process. Under the guise of protecting medical privacy, we fear that Senator Jeffords and others, who undoubtedly are well intentioned and are trying their best to address this need to legislate, are going to pass a federal bill that would actually, in key respects, be a step backwards for privacy protections.

There are a couple of key problems with the bill the Senate Committee is considering. First of all, the law enforcement section of the bill is disastrous. As you would imagine, the bill establishes a general rule that says patients have ownership interest in their medical records. They have to consent to the disclosure of those records to other people, and they have the right to access their own records to check and make corrections. That rule is then modified by many exceptions, as Kent Brown noted earlier. You can start by saying there is a principle of privacy, but then you list all the exceptions. You finally ask whether there is anything left, or is it just a tattered piece of paper?

Government Databases. One of the key exceptions in this Jeffords bill is an exception for law enforcement. As we read the current draft, law enforcement agencies have virtually unfettered access to your medical records. There is not a warrant requirement. Essentially, the police are permitted to issue what are called "administrative subpoenas" to obtain your medical records. When they obtain those records, they can virtually do anything with them.

They can maintain databases. This is a long-standing fear of the ACLU, that health care records have become the new law enforcement database, in which the police can search for clues to a crime based on your blood type, your DNA sample, or other information about your health status.

A second concern of ours is in the area of preemption. A number of states have begun to address this issue. I know policy analysts at The Heritage Foundation understand and respect the important role of the states in our constitutional system. They are "laboratories" for policy, and indeed, the states have begun to address this challenge.

The Jeffords bill would, in a very significant measure, preempt state laws governing privacy that have already been enacted, and more dramatically, it would preempt the states from acting in this area in the future. We think that's wrong and dangerous.

Finally, a third area that concerns us--and is most relevant to this panel today--is in the area of health oversight. Section 206 of the current Chairman's mark provides that a health care provider, health plan, health researcher, employer, life insurer, etc., shall disclose health information to a health oversight agency with an oversight function authorized by law.

More Power to HCFA. Well, if that sounds familiar to you, it should. Because it's that "mirage" that Dr. Appelbaum described in his opening remarks. It's like OASIS. HCFA would specifically be authorized to carry out the OASIS kind of activity under Section 206 of the Jeffords bill. If Senator Jeffords and his staff were here, they would be quick to point out that other sections of the bill provide protections about how that information could be used by HCFA. But the sweeping intrusion into health care operations by government agencies in the name of oversight is perpetuated by this bill. Therefore, this bill, which purports to protect privacy and limit access to medical records, is shaping up to be something very different.

We hope that this legislative process gets back on track. Congress should enact privacy protections. There is a pressing need, and Congress should address it. But right now, we fear that the bill is off-track. While we're not calling on Congress to pull the plug on this legislative process, we urge very significant improvement over this Jeffords bill. Everyone in this room who came here concerned about Medicare's OASIS program, should be very concerned about the direction of health-privacy legislation.

Ronald Weich is a partner in the law firm of Zuckerman, Spaeder, Goldstein, Taylor & Kolker, and a legislative consultant to the American Civil Liberties Union. He has served in a series of senior staff positions in the Senate, notably as general counsel to the Labor and Human Resources Committee and chief counsel to Senator Edward Kennedy on the Senate Judiciary Committee.