This website provides readers an historical perspective on the evolution of various healthcare laws and regulations affecting healthcare freedom and privacy.
For updated information about healthcare freedom and privacy issues, visit Citizens' Council for Health Freedom's website
Browse by Topic


Hearing on Privacy and Security in the
Information and Technology Age

Presented by Sue A. Blevins
June 4, 2001

Thank you, Mr. Chairman and Committee members, for holding this timely hearing on privacy and security in the information and technology age. I commend you for bringing together a diverse group of witnesses to introduce the Committee and the public to a broad range of privacy issues. Today, I am going to focus briefly on the critical issues of medical and genetic privacy in the information age.

Technological Advances Bring New Challenges

Historically, medical privacy has been viewed as a fundamental right in this country, and Americans have been able to maintain confidential patient-doctor relationships. Until recently, we have been assured that when we seek medical care and reveal the most intimate details of our lives, the information we share would never be stored in large hospital computerized databases. Men have been free to discuss sensitive issues—such as impotency—with doctors, without the fear that their teenage neighbors could hack into the local hospital medical-records system and access that sensitive information. Women have been able to share their emotional concerns about breast cancer with psychotherapists, without worrying about federal agents pouring over their psychotherapy notes— without their permission. It may seem unbelievable, but new federal privacy rules actually permit such activity. 1

Today, the sacred doctor-patient relationship is in jeopardy. The incredible technological advancements that brought us high-tech, life-saving medical treatments have also increased the risk of medical privacy invasions. During the next few years, it is going to become increasingly easier to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. Many Americans are concerned about this ease of access and do not want third parties obtaining their personal medical information without their permission. In fact, a national survey highlights these concerns.

Gallup Survey on Medical Privacy

The Institute for Health Freedom commissioned a national Gallup survey to find out how Americans feel about medical and genetic privacy. We had heard from privacy advocates across the country about their concerns. But we wanted to find out how ordinary citizens across the nation feel about the issue.

The national Gallup survey results show that an overwhelming majority of Americans do not want the government or other third parties to have access to their medical records—including genetic information—without their permission. The survey of 1,000 adults nationwide found that 78 percent say it is very important that their medical records be kept confidential. According to a majority of respondents, no third party should be permitted to see their records without permission. Key findings include:

  • 92 percent oppose allowing governmental agencies access to patients' medical records without permission;
  • 88 percent oppose letting police or lawyers review medical records without explicit consent;
  • 84 percent say employers should not be allowed access to patients' medical records without permission; and
  • 67 percent oppose researchers accessing patients' medical records without consent.

The national Gallup survey also included two important questions about genetic privacy.2 One asked whether doctors should be allowed to test patients for genetic factors without their consent. Only 14 percent of respondents would permit such testing; 86 percent oppose it. The other question asked whether medical and governmental researchers should be allowed to study individuals' genetic information without first obtaining their permission. More than nine in ten adults (93%) feel medical and governmental researchers should first obtain permission before studying their genetic information.

What's more, when asked whether they are aware of a federal proposal to assign a medical identification number—similar to a Social Security number—to each American, only 12 percent said they had heard anything about it. College-educated adults (16%) are more likely than those with less than a college education (8%) to be aware of the proposal. Regardless of their knowledge about it, however, an overwhelming majority (91%) oppose the plan.

Even so, a federal law enacted in 1996—the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—laid the groundwork for assigning each and every American a "Unique Health Identifier," a patient ID number that could be used to track medical information from cradle to grave.3 That plan has been put on hold temporarily until the federal government establishes adequate privacy protections.

However, the new federal regulations that are supposed to protect patients' medical privacy actually permit a large number of individuals to access patients' records without their permission.4 And the federal regulations will preempt state medical privacy laws that are "contrary to" the HIPAA federal law, which establishes a national electronic health information system.

Thus if this Committee and the citizens of Pennsylvania do not want third parties accessing individuals' medical records without patients' consent, then you should become familiar with the federal rules and carefully examine how they could affect your state medical privacy laws.

Federal Medical Privacy Rules:
Do They Really Protect Patients' Privacy?

Currently, the U.S. Department of Health and Human Services (HHS) is finalizing federal rules (developed by the Clinton administration) that will determine who can have access to individuals' medical records without their permission. The purpose of the federal rules is to help make the U.S. health-care system more efficient by creating an electronic health information system.

However, to increase efficiency and help pay medical claims faster, the federal rules allow many people and organizations access to individuals' personal medical records without consent, including, but not limited to:

  • Banks
  • Researchers
  • Law enforcement officials
  • Federal governmental agents
  • Foreign governments collaborating with U.S. public health officials.

The rules actually mandate that every doctor and other health care practitioner share patients' records with the federal government—specifically HHS—without patient consent.5 The federal government has granted itself the authority to access an individual's psychotherapy notes in order to monitor compliance with the new rules.6 Ironically, this mandate will be enforced by the HHS Office for Civil Rights.7

Also, there is nothing in the rules that prohibits the federal government, state governments or private parties from compiling large databases of patient information without consent. What's worse, individuals cannot sue if their privacy is breached under the final federal medical privacy rule. Instead, the federal government imposes fines.

I think the penalties are perverse: if a patient's privacy is breached, the federal government collects money, but the patient gets nothing. Something is terribly wrong with this picture.

When one's medical privacy is breached, it affects more than just one's physical well being. Breaches of medical confidentiality can affect one's employment status, ability to purchase health insurance, and ability to acquire a personal or business loan. For example, think about how the following breaches (compiled by HHS) must have affected the individuals involved.

  • A banker who also sat on a county health board gained access to patients' records, identified several people with cancer, and called in their mortgages.8
  • A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt.9
  • A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet.10

In each of these cases, do you think it is fair that the federal government should collect fines from the guilty parties, but the individual whose privacy was breached receives no compensation?

Genetic Privacy in the Information Age

Another important issue I would like to address briefly is the issue of genetic privacy and DNA ownership. During the next few years, there is going to be a major battle over who owns your DNA. The state of Oregon passed a law in 1995 that says individuals own their DNA. That law caused quite a stir among the medical and biotechnology industries. The Oregon law has been weakened and currently there are efforts to overturn it altogether.

The Pennsylvania legislature could prevent serious privacy invasions in the coming years by writing a law that defines clearly who owns one's DNA. Without this basic clarification, the line between genetic privacy and genetic ownership will remain fuzzy. For example, without a DNA ownership law, researchers theoretically could maintain one's genetic privacy but inappropriately use someone's DNA for cloning. In other words, a state law that addresses genetic privacy but ignores genetic ownership will not necessarily prevent individuals' genetic information from being used inappropriately.

Important Time for Addressing Medical and Genetic Privacy

Given the strong public demand for medical and genetic privacy rights, it is important to consider the ramifications of not meeting this demand. For example, without adequate medical- privacy laws, will persons with sensitive—but serious—illnesses avoid seeking treatment for fear of privacy breaches? When responding to questions for national medical research studies, will individuals lie to prevent their sensitive information from being stored in large computerized databases and used by third parties without their permission? If so, that could seriously degrade the quality of medical research in this country.

Moreover, are the citizens of Pennsylvania thoroughly informed about how the new federal medical privacy rules are going to affect their right to privacy? I would venture to say that most hard- working people do not have the time to study this complicated issue and they certainly do not have time to read the 367-page rule. Instead, citizens are counting on their elected officials to make sure their state rights are not stripped away by new federal rules.

This Committee and the Pennsylvania legislature have some very critical issues to consider during the next year. To truly protect citizens' medical privacy in Pennsylvania, the legislature would need to:

  1. Ensure that state medical-privacy laws are clearly more stringent, and not "contrary" to, the weak federal rules. This would include enforcing medical-privacy and genetic-ownership laws that require patients' consent before releasing their medical information—including genetic information—to third parties.
  2. Ensure that the new federal rules do not preempt more stringent state laws.
  3. Ensure reasonable and adequate compensation for individuals (not the federal or state government) if individuals' medical privacy is breached.

This Committee is probably going to hear a lot about the need to share patient medical information in order to protect the public's health. In view of that argument, it is important to note that we have seen incredible advancements in medical technology during the past 30 years when the United States enforced consent laws. Simply because we have new technology that facilitates the exchange of medical information electronically does not mean that we should eliminate the important legal concept of informed consent.

Any new law or regulation that strips Americans of their right to determine who sees their medical records goes against the will of the majority of citizens. Consent has always been viewed as a fundamental human right, and the national Gallup survey confirms that Americans strongly support that right when it comes to determining who can access their medical and genetic information.

As Americans, we cherish the freedom to confide in and maintain confidential relationships with our clergy and lawyers. Should we not also be free to maintain a sacred, confidential relationship with our doctors and other health-care practitioners? After all, the primary goal in seeking medical care is to be healed, not revealed.

Finally, I would like to note that until today, there has been little awareness as to how the new federal medical-privacy rules could affect the citizens of Pennsylvania. I commend this Committee for bringing these important issues to light. Thank you kindly for the opportunity to testify before this Committee during this groundbreaking hearing. I would be pleased to answer questions or provide additional materials for the record.

1 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82811, 82805.
2 The Gallup survey, titled "Public Attitudes Toward Medical Privacy," was conducted by telephone with 1,000 adults nationwide between August 11 and August 26, 2000. The margin of error is plus or minus 3 percent. The survey report can be viewed in its entirety at the Institute for Health Freedom's Web site (
3 Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191).
4 "The Final Federal Medical Privacy Rule: Myths and Facts," by Sue A. Blevins and Robin Kaigh, Esq., February 8, 2001 (see
5 Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802.
6 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82811, 82805.
7 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82775, 82381.
8 The National Law Journal, May 30, 1994.
9 New York Times, October 10, 1992.
10 The Ann Arbor News, February 10, 1999.
Simply because we have new technology that facilitates the exchange of medical information electronically does not mean that we should eliminate the important legal concept of informed consent.