Can we protect health plan and provider privacy, too? Public Agency Health Care Databases and the Public Records Problem

Can We Protect Health Plan and Provider Privacy, Too?
Public Agency Health Care Databases and the Public Records Problem

John R. Christiansen, Stoel Rives LLP[1]

The protection of individual privacy has been receiving a lot of attention lately. At the federal level recent months have seen the publication of the final regulations protecting “individually-identifiable health information” from inappropriate use or disclosure by health care organizations; the publication of regulations prohibiting financial institutions from sharing “non-public personal information” about individuals without their informed consent; and Federal Trade Commission (“FTC”) actions intended to require e-commerce companies to comply with their own published privacy policies. There has been considerable discussion of possible new privacy legislation which might be introduced in Congress, and state legislatures and regulatory authorities are also working on privacy protection issues.

In this flurry of activity it is easy to lose sight of the fact that information about organizations and professionals may also be collected, disclosed and used without their consent in ways that may be harmful to their interests. This problem has recently come into focus in a case involving information reported by health plans and health care providers to governmental agencies for collection in database “registries.” Registries are primarily intended for use in tracking the incidence and outcomes of diseases and other medical conditions, [2] but the information they collect may also be used to track reporting organizations’ and professionals’ clinical performance or business activities.

The problem is that public agencies are required to disclose such information to anyone who requests it. Once disclosed, there are no controls over the use of the information which was disclosed. This leaves reporting parties at risk that their information will be used against them by competitors or in litigation, or otherwise used or disclosed in ways which harm their reputations or other interests. This problem arises only in connection with databases which are owned and operated by governmental agencies. The solution is not to discontinue or stop participating in health information collection projects, since such databases may be of great value, but to maintain them under private ownership and strong contractual controls.

A private database company will not be subject to mandatory disclosure laws, but can manage information use and disclosure under the protective terms of its contracts with reporting organizations and professionals. This solution lets such parties ensure the protection of their own confidential information, while ensuring the protection of individual privacy as well. This solution is also consistent with the current trend toward privatization of public health functions in general, a trend catalyzed substantially by declining public health budgets and an increased availability of competent outsourcing contractors.

Purposes and Benefits of Registries and Other Health Care Databases

Over the past decade or more disease and medical conditions registries have become an important part of the public health landscape. Registries collecting data on the incidence of and treatment outcomes for cancer and trauma have supported research and analyses leading to valuable conclusions about treatment benefits and accident patterns,[3] while immunization registries have proven valuable for increasing immunization rates and targeting underserved populations.[4] Registries of information concerning chronic conditions such as diabetes or the incidence of sexually-transmitted diseases likewise hold considerable promise.[5] These are only a few of the potential applications in which health data registries may play a valuable role.

Any database’s value increases in direct proportion to the completeness and accuracy of the data it holds. The more parties reporting data the better; the “ideal” database is one to which all relevant data is reported.[6] Of course, any single enterprise can collect data on its own experience, and that may have some value.[7] But even a large enterprise is not likely to get as much value out of its own database as it would out of a registry reporting data for an entire community or practice area. It might be able to make useful decisions about whether to continue offering certain services by measuring itself against community standards, for example, or draw valuable conclusions about the correlation of treatments with outcomes which would not otherwise be possible.[8]

Public health agencies understand the potential value of registries to their own activities, and in some cases agencies have had mandatory reporting laws passed, though reporting is probably more often coerced by more subtle governmental pressures.[9] Recent medical error prevention and evidence-based medicine initiatives include calls for mandatory state-based reporting of errors to a national database, as the basis for potentially valuable treatment guidelines.[10]

These are worthy goals. Unfortunately, as a matter of law public agency reporting entails potentially serious negative consequences for reporting organizations and professionals, which are likely to make them avoid voluntary participation and resist mandatory reporting. Specifically, the fact that public agency databases are public records under the law opens them up to misuse as sources of intelligence about health care providers and health plans.

Public Agency Databases and Freedom of Information

The classification of public agency databases as public records means that under federal and state “freedom of information” laws there are no controls over the disclosure of information about the health plans and/or health care providers who report their information to these public databases, and no limits on use of such disclosed information against them. Whatever the policy arguments in favor of making health plan and health care provider performance information available to the public, these policies are not the reason for the creation of registries and other health care databases. The fact that such information is available for secondary purposes contrary to the interests of reporting organizations and professionals will only discourage their participation.

As a general rule public records are subject to public records laws, including freedom of information statutes at both the federal and state levels. Freedom of information laws control citizen access to governmental records, and are liberally interpreted to require agencies to disclose information they possess to citizens upon request unless there is a specific, clearly articulated legal exemption.

The potential privacy problem that freedom of information laws raise for individual privacy has long been recognized, and individual protections against disclosure have generally been implemented. Freedom of information laws therefore usually have specific exemptions from disclosure for individually identifiable health information.[11]

But there are no exemptions to mandatory disclosure of health information which does not identify individuals, but does include important information about organizations or professionals who have treated the individuals whose data has been reported.[12] In fact, cases interpreting freedom of information laws have specifically held that potential harm to organizational or professional reputation or business interests is not a legitimate reason to block disclosure.[13]

The application of these principles to registries was made clear in a recent case interpreting Illinois’s freedom of information law, Southern Illinoisian v. Illinois Department of Public Health.[14] In Southern Illinoisan a newspaper made a freedom of information act request for state cancer registry information on the incidence of neuroblastoma, including data on date of diagnosis and the residential zip codes of patients. The Department of Health denied the request, believing this data was exempt because disclosure might invade patient privacy. The Illinois appellate court, relying in part on a United States Supreme Court case interpreting the federal Freedom of Information Act, held that the information had to be disclosed, except to the extent that the records included information which would “reasonably tend to lead to the identity of” one of the individual cancer patients.[15]

A necessary implication of Southern Illinoisan is that any other particulars in the registry which did not tend to lead to patient identification would also have to be disclosed upon request, unless there was some other specific legal exemption. Under the principles discussed above, for example, registry information identifying treating cancer patient providers, health plans and outcomes would have had to be disclosed if requested. This was precisely the holding in an earlier case under New York’s freedom of information law.

Newsday, Inc. v. New York Department of Health did not involve a health data registry, but concerned the results of a health department study of cardiac surgery statistics from thirty hospitals and 126 surgeons.[16] The Department of Health publicized the study in a press release which generally stated the findings, but did not identify the individual surgeons or their mortality rankings. Newsday made a request for disclosure of that information under New York’s freedom of information law, which the Department of Health rejected, arguing the data would be “misunderstood and misused” by the public.[17] Given the probability of misunderstanding and misuse, the Department believed that data identifying individual surgeons should not be disclosed under the freedom of information law exemption for individual privacy protection.[18]

The New York Supreme Court (a trial-level court in that state) held in favor of Newsday and ordered the Department of Health to release information about mortality rankings of individual surgeons. The court held that “[n]o doctor . . . could have any reasonable expectation that the government would withhold from its citizens the patient mortality rate of the doctor” and that “even if there was a legitimate privacy expectation, the interest of the public outweighs it.”[19] Newsday published the information, leading to much acrimony between the Department of Health and the physician community. One Department of Health researcher concluded that “making public the performance scores of individual physicians was a mistake.”[20]

Secondary “Misuse” of Governmental Information

Whatever the wisdom of hindsight, under the freedom of information law the health department in Newsday had no choice but to release the information. The result in that case was acrimony; the result in other situations may be more serious.

One likely result will be the use of database records in litigation.

. . . Systematic accumulation of outcome data is changing the standard of care for hospitals. . . . The rapid acceleration of information gathering is likely to have two legal effects. . . . [One likely effect will occur in litigation, as where] a patient injured in the hospital might argue that the hospital was negligent in retaining a physician on the medial staff, if outcome data compiled by the hospital reveals that the physician was at the very bottom of the staff profile.[21]

This result could easily be translated into the use of public agency databases which could be analyzed to rank physicians, and would be consistent with the legal holding that epidemiological studies by public health agencies are admissible as evidence.[22]

Another possible effect would be the use of public agency information for competitive business purposes, such as health plan selection of providers or underwriting.[23] Or,

[p]roviders might seek to use . . . databases for many reasons: to project market share when considering mergers with other facilities, to select sites for satellite clinics, to establish ambulatory surgery centers, to acquire group practices, and in other ways to plan future activities with financial implications. Some groups may wish to acquire competitive intelligence . . .[24]

None of these activities are necessarily bad or contrary to the public interest. But they are not consistent with the purposes for which this kind of information is gathered.

The fact that such uses are possible and in fact must be anticipated is a serious disincentive to report data which can be used against the reporting organization.[25]

Data about errors are highly vulnerable. Litigators have strong incentives and powerful legal tools to obtain information about errors to assist them in lawsuits for medical injuries. Discoverability of error reports is very likely to increase the number of personal injury claims brought and paid. This creates a strong disincentive to report. Operators of reporting systems lacking any protection against legal breach of confidentiality are experiencing underreporting of errors.[26]

The heart of the problem is that public agencies must permit, and in fact cannot prevent disclosure of identifiable health care provider and health plan data, without the protections against secondary uses which the law establishes for individually-identifiable health information. “Secondary uses of data occur when information is used in ways that are incompatible with the original purposes of collection. Secondary uses of identifiable information [in public health registries] beyond those originally intended by the data collector would be permitted only with the informed consent of the subject.”[27]

The thrust of most privacy protection laws and initiatives is the protection of individuals against unconsented and inappropriate secondary uses of their information. But public records laws do not extend protections against secondary uses of registry information to health care organizations and professionals whose information they also contain.[28] Under freedom of information laws on the books at the federal and state levels, the consent of these parties to any disclosure, for secondary use or otherwise, is not relevant. Their information is a public record and must be disclosed upon request.

Private Health Care Databases and the Contractual Protection of Information.

While most existing registries were developed in the public health sector, there is no legal requirement or operational peculiarity which precludes their private ownership and operation. “Registry” is simply a convenient term for a database containing certain kinds of information, collected and distributed for certain kinds of purposes. In a time of declining public health budgets registry outsourcing to private companies may be a cost-effective alternative, especially compared to the loss of such data resources altogether.[29]

Technically and administratively, private organizations should be able to own and operate such databases at least as efficiently and cost-effectively as public organizations. There is no per se reason to believe that a private party will be less managerially and technologically competent than a governmental agency in protecting private information. Private companies may well have more funding available for the development of technological protections, and for the hiring of trained, experienced personnel at competitive wages.[30] Operational competence is not the real question.

The real question is one of confidence: Can a private, profit-oriented[31] registry operator be trusted not to disclose or use the information it manages improperly for purposes of financial gain? Certainly, there have been and no doubt will continue to be cases where owners of various kinds of databases do make improper uses of private information for commercial purposes.[32] There is no law directly regulating the use and disclosure of private information by private registry companies,[33] and one solution to the trust problem could therefore be the enactment of appropriate legislation.[34] However, no proposed law has yet been prepared, and it would take many years to draft one and work it through legislative processes.

A solution which could be implemented immediately as needed would be the creation of a strong contractual structure imposing a trustworthy system on a private registry organization. “Contracting parties . . . may freely draw up contracts specifying conditions of confidentiality.”[35] The HIPAA privacy regulations prohibit health plans and health care providers, the parties who would be providing data to the registry, from disclosing individually-identifiable health information to their business associates unless they have entered into specific forms of agreement limiting their use and disclosure of that information.[36] A business associate contract with a private database company would constitute legally “satisfactory assurance” that it would protect reported, individually identifiable information appropriately under HIPAA. [37]

Such a contract could include parallel provisions protecting confidential information pertaining to reporting health plans and providers as well.[38] Such provisions might include the following:

· Since registry information is intended to be made available to other parties, the contract would include restrictions on the parties to whom reported information could be disclosed, the conditions for such disclosure, limitations on the content which could be disclosed, and a requirement that any party receiving such information be party to an agreement with the registry owner controlling its own use and further disclosure of the information.[39]

· The parties might consider further strengthening the contract by including a requirement that the reporting organization or professional be made a “third party beneficiary” of any agreement for disclosure of such information between the registry owner and any third party. If properly drafted, such a provision would give the reporting party legal recourse against both the registry owner and the third party in case of a breach of the agreement.[40]

· While a private registry company would not be immune to legal process seeking disclosure of information, it could agree not to provide information except in response to a valid warrant or court order, including contesting subpoenas and other requests for information, and giving reporting parties notice and an opportunity to intervene whenever their information is sought.[41]

· In order to verify compliance with the contract, it should include terms requiring periodic third-party auditing of registry protections and privacy compliance.[42]

· A failure by a registry company to abide by its contracts could be made grounds for termination, or other penalties, consistent with reporting organizations’ own regulatory obligations.[43]

If the contract includes strong, well-crafted restrictions on information ownership, use and disclosure or transfer of information to third parties, the registry company should have no legal right to sell protected information for improper purposes, even in bankruptcy.[44] This solution would create a private “oversight” structure equivalent in effect to the public oversight structures which let us consider governmental agencies trustworthy, while avoiding the public oversight consequence that public agencies cannot protect information in the absence of specific legal authority.

Private companies are generally considered trustworthy by their business associates if they enter into and comply with meaningful contractual commitments. A strong contractual structure for a private registry company can make it a trustworthy holder of both individually identifiable health information which is protected by law, and health plan- and health care provider-identifiable information which is not.

Conclusion

There is a somewhat bitter irony in the possibility that declining public health budgets will retard, degrade or eliminate valuable health care database projects, during the same period in which advances in information technology are making it possible to do more with such databases than ever before, and error reduction initiatives seek to expand the reporting and analysis of health care information. But public health databases are fundamentally flawed by their inability to protect against unconsented secondary use of information about those who report it.

The need to place registries on a sound financial footing therefore presents an opportunity to create legal protections against such misuse. There is no legal or operational requirement that registries be owned and operated by governmental agencies. Public health agencies and private health care organizations and professionals which find registries valuable may well find that these information resources may be best preserved and extended by competent, contractually trustworthy private companies.

[1] One of the conclusions of this article is that health care providers and health plans may have reasons to prefer privately owned and operated health data registries to registries owned and operated by governmental agencies. It should be disclosed that the author is counsel to private companies which provide health data registry or registry-related services.

[2] As used in this article a “registry” is a database intended for use specifically for tracking clinical data to be made available for public health or research purposes. This is intended to distinguish registries from the many kinds of databases developed to collect health care-related data for other purposes. The seminal analysis of the uses and value of such databases is Institute of Medicine, Health Data in the Information Age (1994).

[3] See Institute of Medicine (1994), supra note 3, at 79-80.

[4] See Gostin, Lazzarini and Flaherty, “Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization,” Final Report to U.S. Centers for Disease Control (1997)(available on-line at http://www.epic.org/privacy/medical/cdc_survey.html, site visited 06/03/97), at 43-45.

[5] See e.g. Gostin et al., supra note 4, at 17.

[6] See Christiansen, “Why Healthcare Information Isn’t Property – and Why That Is to Everyone’s Benefit,” 27 Health Law Digest 3 (February 1999), at 7 – 9.

[7] Cf. Bates and Gawande, “The Impact of the Internet on Quality Measurement,” 19 Health Affairs 104 (November/December 2000) at 110: “Medical care occurs largely within private institutions, and thus the quality information generated has been kept largely private.”

[8] See generally Millenson, Demanding Medical Excellence (1997)

[9] See Millenson, supra note 8, at 191 (hospitals “volunteered” to participate in New York State Department of Health cardiac study “[l]ike a prison inmate accepting the warden’s ‘invitation’ for lunch”, given department’s regulatory authority).

[10] See Johnson and Shapiro, “The Institute of Medicine Report on Reducing Medical Error and Its Implications for Healthcare Providers and Attorneys,” 12 The Health Lawyer 1 (June 2000), at 5 – 6. See generally Institute of Medicine, Crossing the Quality Chasm: A New Health System for the 21^st Century (2001) and Institute of Medicine, To Err Is Human: Building a Safer Health System (2000).

[11] See Gostin et al., supra note 4, at 4.

[12] See Institute of Medicine (1994), supra note 3, at 176 fn.

[13] See e.g. Fisher v. National Institutes of Health, 934 F.Supp. 464 (D.C.D.Ct. 1996)(physician held to have no protected interest affected by inclusion of scientific misconduct investigation annotations on article database entries which identified physician as co-author) and Doe v. United States Department of Health and Human Services, 871 F.Supp. 808, 813 - 114(E.D. Pa. 1994)(physician’s liberty and property interests not implicated by inclusion of criminal conviction in National Practitioner Data Bank). See also Winn and Wrathall, “Who Owns the Customer? The Emerging Law of Commercial Transactions in Electronic Customer Data,” 56 The Business Lawyer 213 (November 2000) at 268: “A business organization that is a legal but not a natural person has no rights under data protection laws, and must rely on the enforcement of contract terms for its right against third parties.”

[14] Southern Illinoisan v. Illinois Department of Health, 2001 WestLaw 337191 (March 28, 2001)(Illinois Court of Appeals, Fifth District).

[15] This standard is consistent with the requirements for anonymization of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). See 45 CFR sec. 514(a) – (b).

[16] Newsday, Inc. v. New York Department of Health, 19 Media Law Reporter (1991).

[17] See Millenson, supra note 8, at 192-93.

[18] See Newsday, Inc.

[19] Id.

[20] See Millenson, supra note 8, at 197

[21] Furrow, “Doctors’ Dirty Little Secrets: The Dark Side of Medical Privacy,” 1998 Washburn Law Journal. See also Johnson and Shapiro, supra note 10, at 6 – 7.

[22] See e.g. Kehm v. Proctor and Gamble, 724 F.2d 613 (8^th Cir. 1983); and see Johnson and Shapiro, supra note 10, at 7.

[23] See Institute of Medicine (1994), supra note 3, at 77.

[24] Id. At 78.

[25] Compare Bates and Gawande, supra note 7, at 110: “Some of the concerns [about public reporting of medical error rates] are clearly legitimate. Public reporting of errors could easily drive discussion of errors further underground. Likewise, if providers’ rates of complications are released with either small sample sizes or inadequate case-mix adjustment, physicians will have strong incentives to avoid sicker patients.”

[26] Johnson and Shapiro, supra note 10, at 6 – 7.

[27] Gostin et al, supra note 4, at 9.

[28] Medical error data is protected by statute when reported for peer review purposes in some states. See Johnson and Shapiro, supra note 10, at 8 –9. Peer review protections do not apply to registries, by definition: “This privilege [peer review] is statutory and is specific to medical peer review within specified settings and meeting specified standards.” Id. At 8. Peer review statutes are highly variable from state to state, and “the protection afforded by the peer review privilege is [limited by] the threat – shared by all statutory protections – of statutory revocation. The possibility can never be eliminated that the law will be changed with retroactive application.” Id. At 8 – 9.

[29] See Bechamps, Bialek and Chaulk, Privatization and Public Health: A Report of Initiatives and Early Lessons Learned (Public Health Foundation 1999) at 1: “. . . the 1990s have been characterized by governmental downsizing and budget cuts at all levels. These cuts have compromised the ability of local agencies to provide basic services. As a result, policy makers at all levels of government are calling for leaner, more efficient service delivery.”

[30] See Christiansen, “When Networks Collide: Managing the Risks Arising from the Interaction of Healthcare and Information Systems,” 11 The Health Lawyer 10 (October 1998), at 14-15.

[31] A private database owner could be organized as either non-profit or for-profit, but this legal categorization is not relevant to its regulatory status, or its privacy protection competence. The underlying issue for either a profit or non-profit organization is whether it can attract sufficient financing and generate sufficient revenues to sustain itself. If in fact a health care community finds a given registry valuable, the issue would be whether the community is willing to pay enough (collectively) to support it.

[32] See e.g. discussion in Winn and Wrathall, supra note 13, at 221-29.

[33] Unless the organization were part of a health plan, health care provider or health care clearinghouse, it would not be covered directly by the HIPAA privacy regulations. See 45 CFR sec. 160.102(a).

[34] See Institute of Medicine (1994), supra note 2, at 180-82. Such a solution would in any event be subject to the same “threat of statutory revocation” applicable to existing peer review statutes. See footnote 28, supra.

[35] Biras, “A Contractual Approach to Data Privacy,” 17 Harv.J.Law & Public Pol. 591, 605 (1994).

[36] See 45 CFR sec. 164.502(e). A “business associate” is defined as a person to whom a covered entity discloses protected information so that the associate can perform an activity or function on behalf of the entity. See 45 CFR 160.103. Strictly speaking, it is not clear whether a registry company fits this definition, since it is not clear whether the activities it performs are “on behalf of” the reporting entities. Whether or not a registry operator fits the definition of a business associate, it could still enter into and be bound by a business associate agreement or its equivalent.

[37] 45 CFR sec. 160.502(e)(2) requires a business associate agreement as a means of documenting “the satisfactory assurances” of a business associate that it will protect disclosed information.

[38] Some existing private organizations which collect medical error information, such as the JCAHO sentinel event system, apparently promise confidentiality to reporting parties, but these are of limited value and subject to the risk of mandatory disclosure in litigation. See Johnson and Shapiro, supra, at 9 – 10. The contractual approach suggested here would provide significantly greater protection, though it could not prevent disclosures mandated by court order. See footnote 41, infra.

[39] Such a contract would be functionally equivalent to a business associate agreement, but would protect reporting organizations and professionals rather than individuals. In general, contractual provisions parallel to those required to protect individually identifiable health information under HIPAA can be usefully adapted to protection of organizational and professional information as well.

[40] The draft HIPAA privacy regulation proposed that individuals be made third party beneficiaries of business associate contracts (business “partner” contracts in the draft regulation). See Christiansen, Electronic Health Information: Privacy and Security Compliance Under HIPAA (2000), at 43 – 44.

[41] This protection goes further than the HIPAA privacy regulation protections for individuals, which permit a variety of disclosures to governmental agencies without individual notice or consent. See 45 CFR sec. 164.512. It should be noted that such a provision might have to be limited to accommodate the possibility that a court-ordered disclosure would include a prohibition on giving notice to reporting parties, for example in a criminal investigation, but such circumstances should be rare.

[42] The American Institute of Certified Public Accountants, for example, has proposed auditing principles and criteria for the verification that an e-commerce business is in compliance with its stated information privacy practices. See AICPA/CICA WebTrust^(sm) Principles and Criteria for Business-to-Consumer Electronic Commerce, Version 2.0, (October 15, 1999). This provision would be consistent with but go beyond the HIPAA privacy regulation requirement that business associate contracts include a provision making business associate internal practices, books and records available for inspection to verify HIPAA compliance by the United States Department of Health and Human Services. See 45 CFR sec. 504(e)(2)(ii)(H).

[43] Again, this is provision would establish a contractual regime parallel to the HIPAA regulatory regime. See 45 CFR sec. 164.504(e)(1)(ii).

[44] See Winn and Wrathall, supra note 11, at 265-68. There is no legal or operational reason why a database operator, public or private, must be considered the “owner” of the information managed through the database system. See generally Christiansen (1999), supra note 6.