The politics of medical privacy

Legal Times  March 22, 1999

 

From banks of computers scattered across the East Coast, IMS Health Inc. claims to be able to track 70 percent of the drugs prescribed to patients worldwide. Each month, the Westport, Conn.-based corporation processes 72 billion records sent to it by 250,000 U.S. pharmacies, doctors, hospitals, nursing homes, and clinics.

These files, automatically transmitted to IMS via computer, contain detailed information about millions of Americans who take prescription drugs, including their dosage and any other drugs they are taking. IMS then sells data culled from these records to pharmaceutical manufacturers and other companies, which use it for marketing, research, and price comparisons, among other things.

IMS officials say they go to great lengths to protect patient privacy, to the extent that names and other identifiers are stripped out before they even reach the company. The only identifier that remains is a code.

But all these precautions are entirely voluntary. No universal federal rules protect the privacy of medical records--and although some states have privacy laws, they vary widely in scope.

As a result, records now flow freely among doctors, hospitals, insurers, employers, biotechnology companies, medical device and pharmaceutical manufacturers, and government agencies, including law enforcement. The only person who may have trouble obtaining a medical record, in some cases, is the patient.

Prompted by the public's fear that such personal information may be used for unscrupulous purposes or simply fall into the wrong hands, Congress has tried for years to craft legislation that would control the unchecked dissemination of medical data without denying the health industries a critical resource.

Now, Congress faces an August deadline mandated by the Health Insurance Portability and Accountability Act of 1996. If it fails to pass a bill, the Department of Health and Human Services will be free to implement its own regulations--an option that neither Congress nor health care companies like.

Two bills have been introduced this session. The stronger one, backed by liberal Democrats, would require an individual's consent before any of his or her medical data can be sold or used for any reason other than to aid in treatment or payment for services. The other bill, drafted by moderates from both parties, would permit insurance companies to use such information for a range of purposes.

"We need an upgrading of privacy rights to match the upgrading of the ability of the industry to gather information about individuals, " says Rep. Edward Markey (D-Mass.), one of the co-sponsors of the Democratic bill and the ranking minority member on the Commerce Subcommittee on Telecommunications, Trade, and Consumer Protection.

But drug and insurance company lobbyists say these privacy protections would hobble drug-makers' ability to do research and insurance outfits' ability to provide cost-efficient services. Instead, they are pushing a less restrictive law, not yet introduced, being drafted by conservative Republicans.

"This notion that we can prevent all harm by preventing all access to medical records undermines the ability of the health care industry to provide highquality care and to engage in critical research, " says Heidi Wagner, a lobbyist for Genentech Inc. who heads a coalition of insurance and drug companies opposing both bills.

The industry has lined up a powerful team to fight the privacy bills. Jerry Klepner, a former Clinton administration assistant secretary for legislation and now a lobbyist for Black, Kelly, Scruggs & Healey, is working for Genentech and the SmithKline Beecham Corp. The Pharmaceutical Manufacturers and Research Association and Genentech have signed up podesta.com's Reid Detchon, a former aide to former Sen. John Danforth (R-Mo.) and Andrew Littman, former policy director to Sen. Barbara Boxer (D-Calif.). Lyle Dennis of Cavarocchi, Ruscio and Dennis Associates is heading up the Genome Action Coalition, an industry-funded outfit that is trying to bring in the support of patient groups. What makes this fight different from most legislative battles is that Congress is trying to reach into an arena in which relatively little hard data is available. A regulation known as the Common Rule governs safety and privacy issues in research that is performed either with government funds or with the purpose of winning Food and Drug Administration approval for a product.

In the absence of federal jurisdiction over the private sector, regulators, members of Congress, and privacy advocates say there is no way of knowing how much unregulated research is being done with identifiable medical records and human subjects. This makes it difficult for Congress to assess the problem and tailor legislation accordingly.

"We don't know how much research is going on, how many people are involved, whether there have been any adverse effects on these people, and whether steps are being taken to correct these adverse effects, " says R. Alta Charo, a professor of law and medical ethics at the University of Wisconsin who is a member of the National Bioethics Advisory Commission.

The commission was established by President Clinton in 1995 to study the government's regulation of medical research.

Biotechnology and pharmaceutical representatives say they don't have any idea as to the scope of such research.

Others are wary of such claims. "They know and they aren't telling us, " says a Democratic aide who cited hearings last month before the Senate Committee on Health, Education, Labor, and Pensions during which industry representatives repeatedly denied having any knowledge about the extent of unregulated research.

The bill that has received the most support from privacy advocates, sponsored by Markey and Sen. Patrick Leahy (D-Vt.), would extend the Common Rule's privacy protections to all types of research.

The other proposal, sponsored by Sens. James Jeffords (R-Vt.) and Christopher Dodd (D-Conn.), calls for a two-year study on extending the Common Rule, after which Health and Human Services could put rules into place.

Industry lobbyists argue that the Common Rule is far too blunt an instrument to be used so broadly. Under the Common Rule, any research use of human subjects or of medical records must be approved by an Institutional Review Board, made up of community members, both experts and laymen. The IRB may require researchers to get informed consent before using a person's medical records.

This type of process would dramatically slow pharmaceutical and biotechnology research, says Genentech's Wagner.

"The IRB tool is not the correct tool, " she says. "That mechanism is not designed to accommodate all forms of research."

Some outside observers agree, but only in part. A recent General Accounting Office report notes that the IRB process is primarily designed to protect the safety of human subjects. The privacy of medical records is a secondary concern, particularly if they are encoded, and, according to the GAO, IRBs frequently waive requirements that subjects give consent before their records are used in research.

Whether extending the Common Rule to all research would hurt the private sector is doubtful, says Charo. "We haven't seen the research enterprise at universities shut down, not by a long shot, and they are all subject to these rules, " she says.

The Common Rule is "not perfect, but its the only thing we've got right now, " says a Leahy aide.

Much of the debate over the bills has centered on definitions like the meaning of the words "research" and "identifiable."

Industry lobbyists say the Jeffords-Dodd bill goes too far in its definition of how much personal information must be encoded to make a record not " identifiable." "That means that every requirement under the bill is triggered, " says Wagner. " The bill would cover literally every piece of information that we are trying to use."

Wagner says that under the bill, researchers would have to seek permission for nearly everything they did with medical records.

Industry lobbyists are instead promoting a more permissive definition of " identifiable" used in a bill sponsored by Sen. Robert Bennett (R-Utah), which they hope will be introduced in the next few weeks.

Under the Bennett standard, says a Democratic aide, the industry would be able to keep lots of information that could identify a person. "It's a huge loophole." Another key aspect of the Bennett bill is that it would pre-empt existing state privacy laws.

While the Bennett bill would set a ceiling to keep state statutes from exceeding federal law, the Leahy-Markey bill would establish a baseline federal standard that state laws must meet or exceed. The Jeffords-Dodd bill also sets a ceiling and would grandfather existing state laws.

The biotechnology boom of the last decade and advances in gene research present particular concerns to groups advocating on behalf of patients. There's a real chance that employers and insurance companies could discriminate against people based upon their genetic information, says Jeffrey Crowley, who is leading the Consortium for Citizens with Disabilities.

While none of the medical privacy bills deal with genetic discrimination, Sen. Dodd tried last week to attach an anti-discrimination amendment to the patient's bill of rights being considered by the labor committee.

But Sharon Cohen of the Health Insurance Association of America says insurers should be able to evaluate any available information about a person, including genetic information.

And Wagner, the head of the pharmaceutical-insurance coalition, claimed victory for her group after shoring up enough support among Republican committee members to keep the Dodd amendment out of the patient's rights bill. On the medical privacy issue, the group has lobbied successfully to make sure that genetic information does not receive special protection and is treated the same as all other medical information.

But there is good reason to provide special protections for genetic information, says Arthur Caplan, director of the Center for Bioethics of the University of Pennsylvania. Genetic data taken from one person, he says, can provide personal information about one of the person's relatives.

Caplan adds that while genetic engineering is still in its infancy, a DNA sample could eventually become a component in a company's product. "DNA is not just a record, " he says. "You can use it to make something."

The one aspect of the medical privacy debate on which the industry and privacy advocates agree is that medical records should not freely be given to law enforcement officials. The Leahy-Markey bill, for instance, requires law enforcers to get a warrant before obtaining medical records.

But the Clinton administration's silence on the issue in its privacy recommendations to Congress indicates that it seeks unfettered access to records for law enforcement, says a Leahy aide.