These are but two of the red flags raised by critics of the Clinton-Gore administration's last-minute "privacy" rule adopted verbatim April 14 on a direct order from President Bush.
The lengthy, convoluted regulation of the Department of Health and Human Services has been touted by the White House and most of the establishment press as guaranteeing patients protection of the privacy of their health records.
Critics contend this is nothing less than a bureaucratic hoax foisted upon the new Bush-Cheney administration by a wily Bill Clinton, and that it opens up personal medical files to government inspection, control and commercial exploitation.
They cite how the rule deals with two sensitive subjects: marketing and fund-raising.
Section 164.514(e)(1) provides that "a covered entity" – physician, dentist, hospital, nursing home, health plan or pharmacist, for example – "may not use or disclose protected health information for marketing without an authorization" of an individual "except . . . ."
Then comes a carefully hedged set of exemptions, such as described in Section 164.514(e)(2)(i):
"A covered entity is not required to obtain an authorization under Section 164.508 when it uses or discloses protected health information to make a marketing communication to an individual that:
"(A) Occurs in a face-to-face encounter with the individual;
"(B) Concerns products or services of nominal value; or
"(C) Concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions in paragraph (e)(3) [below] of this section."
Section 164.514(e)(2)(ii) then adds:
"A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications."
Critics say that's just wishful thinking, that once the marketing potentials of a patient's personal medical files have been passed along to one third party there's no stopping the spread to a whole host of other computer-assisted sales forces.
They argue that once the horse is out of the barn it's too late, despite the regulation's following paragraphs, referred to in (C) above:
Section 164.514(e)(3) provides:
"For a marketing communication to qualify under paragraph (e)(2)(i) [above] of this section, the following conditions must be met:
"(i) The communication must:
"(A) Identify the covered entity as the party making the communication;
"(B) If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and
"(C) Except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributed to a broad cross-section of patients, enrollees or other broad groups of individuals, contain instructions describing how the individual may opt out of receiving future such communications.
"(ii) The covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition:
"(A) The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and
"(B) The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.
"(iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications, under paragraph (e)(3)(i)(C) [above] of this section, are not sent such communications."
One of the complaints of critics is that there's no way a physician, dentist, hospital, nursing home, health plan or pharmacist could possibly comply with those "safeguards" without plowing through the specific records, name by name, ailment by ailment, of each and every patient targeted for marketing and then sharing that information with any third-party sales force.
All of that is permitted to take place without advance approval by the patient.
In Section 164.514(f), the rule provides:
"(1) A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of Section 164.508:
"(i) Demographic information relating to an individual; and
"(ii) Dates of health care provided to an individual.
"(2) (i) The covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) [above] of this section unless a statement required by Section 164.520 (b)(1)(iii)(B) [below] is included in the covered entity's notice."
Section 164.520 (b)(1)(iii)(B) states:
"The covered entity may contact the individual to raise funds for the covered entity."
Section 164.514(f)(2) continues:
"(ii) The covered entity must include in any fundraising materials it sends to an individual under this paragraph a description of how the individual may opt out of receiving any further fundraising communications.
"(iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications."
One part of the rule provides that specific personal identifiers may be removed from lists made available to marketers and fundraisers.
Section 164.514(b)(2)(i) lists such identifiers "of the individual or of relatives, employers or household members of the individual" as:
"(B) All geographic subdivisions smaller than a state, including street addresses, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
"(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
"(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
"(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
"(D) Telephone numbers;
"(E) Fax numbers;
"(F) Electronic mail addresses;
"(G) Social Security numbers;
"(H) Medical record numbers;
"(I) Health-plan beneficiary numbers;
"(J) Account numbers;
"(K) Certificate/license numbers;
"(L) Vehicle identifiers and serial numbers, including license plate numbers;
"(M) Device identifiers and serial numbers;
"(N) Web Universal Resource Locators (URLs);
"(O) Internet Protocol (IP) address numbers;
"(P) Biometric identifiers, including finger and voice prints;
"(Q) Full-face photographic images and any comparable images; and
"(R) Any other unique identifying number characteristic, or code."
The point, critics complain, is that if the rule permits those identifiers of individuals to be omitted from data bases, then it acknowledges that they are also available and visible to those same marketers and fundraisers.
Or else how could they eliminate them if they didn't have access to use them?
There is also implicit in that part of the rule an acknowledgement by the government that it is, indeed, a nationwide electronic data base it is making possible by this rule.
Yet, in the emerging debate on Capitol Hill over this medical-privacy rule, little attention is being paid to whether this "privacy protection" measure adopted by the Bush-Cheney administration is in fact just the opposite.
© 2021 Newsmax. All rights reserved.