Return-Path: [log in to unmask] Received: from comet.ccs.yorku.ca (comet.ccs.yorku.ca [130.63.235.31]) by suntan.ccs.yorku.ca (8.8.7/8.8.5) with ESMTP id KAA13488 for <[log in to unmask]>; Fri, 30 Jan 1998 10:58:14 -0500 (EST) Received: from comet.ccs.yorku.ca (comet.ccs.yorku.ca [130.63.235.31]) by comet.ccs.yorku.ca (8.8.5/8.6.12) with ESMTP id KAA08709; Fri, 30 Jan 1998 10:46:19 -0500 (EST) Received: from YORKU.CA by YORKU.CA (LISTSERV-TCP/IP release 1.8c) with spool id 1778348 for [log in to unmask]; Fri, 30 Jan 1998 10:46:18 -0500 Received: from suntan.ccs.yorku.ca ([log in to unmask] [130.63.236.89]) by comet.ccs.yorku.ca (8.8.5/8.6.12) with ESMTP id KAA07510 for <[log in to unmask]>; Fri, 30 Jan 1998 10:34:20 -0500 (EST) Received: from smtp1.erols.com (smtp1.erols.com [207.172.3.234]) by suntan.ccs.yorku.ca (8.8.7/8.8.5) with ESMTP id KAA06841 for <[log in to unmask]>; Fri, 30 Jan 1998 10:34:17 -0500 (EST) Received: from anyad (207-172-40-21.s21.tnt11.ann.erols.com [207.172.40.21]) by smtp1.erols.com (8.8.8/8.8.5) with SMTP id KAA04850 for <[log in to unmask]>; Fri, 30 Jan 1998 10:35:20 -0500 (EST) X-Mailer: Mozilla 3.01C-KIT (Win95; I) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <[log in to unmask]> Date: Fri, 30 Jan 1998 10:25:33 -0500 Reply-To: [log in to unmask] Sender: "Health Informatics in Int'l Development" <[log in to unmask]> From: Dennis Melamed <[log in to unmask]> Organization: Melamedia Editorial Services Subject: Health Information Privacy To: [log in to unmask] Health Information Privacy Alert Update-Jan. 30, 1998 HCFA REVIEWS BAN ON INTERNET TRANSMISSION OF BENEFICIARY DATA HMOs and other vendors on contract to the Health Care Financing Administration should continue to avoid the Internet as a medium for sending Medicare and Medicaid beneficiary data, the agency informed companies late last year. HCFA information security officials said current encryption technologies were still not adequate to provide the privacy protection required. Electronic transfers of data are allowable only if the company has its own dedicated line and server. However, HCFA is reviewing its policy in the wake of continuing inquiries from the field. No deadline for a revised policy has been set, and HCFA security systems managers also note that they do not want to write impose requirements they cannot enforce. HUMAN RESOURCES OPERATIONS THREATENED BY E.U. PRIVACY DIRECTIVE, LACK OF U.S. ACTION U.S firms with European operations could see their human resources records entangled by an E.U. directive requiring more restrictive handling of health data. Once the directive takes effect in October, data flows of all sorts may be circumscribed if E.U. officials decide a non-E.U. country's privacy protections are not equivalent to Western European privacy safeguards. When a nation lacks a comprehensive privacy law analogous to the E.U.'s, the Europeans will look at how that country protects data in specific sectors. If they decide that data do not receive sufficient protection in a given area, they may bar transfer of such information between Europe and the affected country. The E.U. directive puts a strong emphasis on the protection of health information, including company records related to employee health benefits. If the E.U. implements its directive as forcefully as possible, U.S.-based companies operating on the Continent would have to make significant adjustments in their operations. The warning about human resources files came from Peter Swire and Robert Litan, authors of a forthcoming Brookings Institution book on the directive's impact around the world. EU DIRECTIVE CASTS SHADOW OVER U.S. PHARMACEUTICAL, MEDICAL DEVICE MANUFACTURERS U.S.-based drug and medical device marketing and research could be severely disrupted when the European Union privacy directive takes effect in October, even though the directive offers a few carefully worded exemptions. That is the word from authors of a forthcoming Brookings Institution book on the directive's implications for the U.S. and other nations. Controls on data transfer from Europe to third countries such as the U.S. do not apply when the information is being used "for the purpose of historical or scientific research" or for the practice of "preventative medicine" by health professionals, note Peter Swire and Robert Litan, whose book, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, will appear this spring. Swire teaches law at Ohio State University; Litan heads the economics studies program at the Brookings Institution, which will publish their book. As a result of the directive's broad exclusions for information used in research and treatment, clinical data for new pharmaceuticals or devices - assembly of which can consume more than a decade and involve many researchers working in numerous countries - may escape constraints delineated in the directive. NCVHS TOLD MORE SAFEGUARDS NEEDED ON REGISTRIES Patient registries, such as those operated by patient advocacy groups, are protected only by an unwritten code of ethics, and may need the defenses that would be required by a health information privacy law, patients rights advocates told the National Committee on Vital and Health Statistics. Many of the groups that make up the National Organization for Rare Diseases (NORD) maintain data bases, whether to facilitate mutual support activities, speed communication of news about those conditions, or function as working registries to record and analyze morbidity and mortality data, said NORD spokesman Michael Langan. However, the only bulwarks against misuse of personally identifiable information such as names, addresses, and telephone numbers is an informal code of ethics, Langan told the Subcommittee on Privacy and Confidentiality during a Jan. 29 roundtable discussion of what constitute a registry. "Our member organizations have the names, addresses, and telephone numbers of hundreds of thousands of people with rare diseases," he said, estimating his organization represents 20 million patients. "They have provided that information voluntarily, because they have a great deal of trust," he said. "There is no way to explain how that trust developed except by our record. They know that their names are not going to land on the front page of the local paper as a result of any action of ours." CONTROLS ON PERSONAL IDENTIFIERS PROVE ELUSIVE Creating a regime to define and control personally identifiable information in health records is proving a daunting task for lawmakers, regulators and consultants. The difficulty will increase as Congress edges closer to protecting medical records confidentiality. A roundtable on the issue's complexity was convened in late January by the National Committee on Vital and Health Statistics. The leading congressional proposals dance around the issue in different ways, but wind up sharing an inescapable ambiguity, said panel chairman Robert Gellman. Controllers of government data do little better than their counterparts in private industry in their efforts to put labels and parameters on the concept; they respond to the challenge by creating entities to review data requests case by case. The National Center for Health Statistics, for example, wrote a checklist of matters to consider before releasing data; NCHS uses an intra-agency committee to review information requests. The problem is intensifying, the privacy subcommittee learned, as the Internet brings previously remote data bases within easier reach. ORGAN PROCUREMENT SYMIED BY HOSPITAL PRIVACY CONCERNS Medical records reviews would enhance accuracy in counting donors whose organs are available to be re-used, but the possibility of having their records scrutinized unsettles hospitals, the U.S. General Accounting Office reported. Facility managers are concerned that wider records review could mean trouble for them over patient privacy. Improved technology and technique have expanded the population eligible for transplants. At the end of 1996, the waiting list totaled 50,047, GAO said. But organ supply has not kept pace, so GAO reviewed the appropriateness of HCFA's population-based standard. That set of criteria is supposed to gauge the extent to which organ procurement organizations are doing their best to identify, procure, and transplant organs and tissue. For information on how to subscribe to Health Information Privacy Alert, send an e-mail to [log in to unmask]