This is an archive page. The links are no longer being updated.
REMARKS BY: DONNA E. SHALALA, SECRETARY OF HEALTH AND HUMAN SERVICES PLACE: Manuel F. Cohen Memorial Lecture, George Washington University Law School, Washington, D.C. DATE: March 16, 1999
Manuel Cohen was one of the great legal minds of this century. Not only did he train a generation of lawyers, he helped build the safest, fairest and most profitable securities market in the world. Manuel Cohen cast a bright light on the American legal profession - and I'm honored to be able stand in that light today.
I'm not trained as an attorney; my academic background is political science. However, I did apply to GW Law School my senior year in college. You put me on the waiting list. I'm still waiting. But let me say, hardly a day goes by that I'm not talking to; taking advice from; or sharing a bottle of aspirin with - a lawyer.
For all I've learned about the law - including, lately, how to ID muggers - my core focus remains the health of the American people. When I was first named to the President's cabinet there was a cartoon in The New Yorker magazine. The cartoon showed a boy and girl playing. The boy makes the proverbial suggestion that they play doctor. The girl replies, "OK, you be the doctor and I'll be the Secretary of Health and Human Services." Today, that same girl might have answered, "OK, you be the doctor and I'll be the General Counsel of our HMO."
That's really the point. The healing arts - and the legal arts - are now intertwined as never before and certain to become more so. From food safety to managed care to clinical research - law and regulation help keep our rapidly changing health care system from becoming a runaway train.
Yes, we want to continue the spectacular revolutions in how medicine is practiced and delivered. But we don't want our science to get ahead of our ethics. We don't want our health care practice to get ahead of our health care governance. And we don't want caution about the future direction of health care to turn to fear - and fear to turn to paralysis.
There is no shortage of examples how the new world of high tech and managed health care threatens to trump the old world of Norman Rockwell and Marcus Welby health care.
But today I'm just going to focus on one example: Privacy.
As many of you probably know, in a famous dissent, Justice Brandeis wrote that our Founders, "conferred, as against the Government, the right to be let alone - the most comprehensive of rights and the right most valued by civilized men." To which I would add: "and women." Granted, Justice Brandeis was referring specifically to government interference with privacy. But as a broad statement of policy it is one that easily covers both public and private intrusions into our personal lives.
In that sense, Justice Brandeis was a visionary. On the other hand, not even Brandeis could imagine the minefield of privacy threats that now confront us at every turn. Just last week, the New York Times reported that Microsoft was going to modify Windows 98 to avoid creating a vast database of personal information that could be stolen or sold. Similarly, Intel agreed to modify its new Pentium III chip because of privacy concerns.
The Internet, microprocessors, cellular communications, eight gigabyte hard drives: This is the world we live in today. It's fast. It's informative. And frankly, it's a potential danger to privacy.
Still, I believe that Stanley Kubrick's vision in 2001 A Space Odyssey of rebellious computers saying, "Sorry, Dave, I can't do that," was meant as a warning, not a prediction. So I'm not here to tell you that we have to put the genie of modern technology back in the bottle. We don't - and we shouldn't.
Technology will remain our servant, provided we build the necessary safeguards - and preserve the belief of Justice Brandeis - and the heroic Justice Blackmun - in the fundamental right to be let alone. All this means that one of the great challenges of the next century will be to continue our technological progress - while holding on to our privacy, especially the privacy of our medical records.
Since this is Oscar time and all the nominated movies will soon come to a video store near you, let me tell you something you might not know: There is a federal law that protects the privacy of your videotape rentals.
If you like Denzel Washington better than Bruce Willis, or Gwynneth Paltrow better than Sandra Bullock, that information is protected.
But if you have a family history of breast cancer. Or if you've been treated for heart disease. Or if you've been prescribed anti-depressant drugs. There is no federal law telling health care professionals and payers what they can - and cannot - do with that information.
It's true that the landmark Federal Privacy Act does limit what federal agencies can do with health records, but in almost all other cases, control over health care information is left to a patchwork of state laws. That means the potential for abuse is enormous.
Today, we have a burgeoning volume of health care records.
We have a system where information can be passed in real time across hospitals, doctors' offices, state lines - and even international borders.
We have countless Americans reluctantly signing blanket consent forms to have their records released - or refusing to sign them and not getting served.
We have abuse. And we have fear of abuse.
What we don't have are national standards for protecting the privacy of our medical records. That must change.
The time has come to give all of our citizens the right to control and protect their medical histories - no matter where they live, and no matter who pays for their care. So the fundamental question is this: Will our health records be used to heal us or reveal us?
The American people want to know. And as a nation, we must decide.
As I was preparing this speech, I couldn't help but remember that this Administration is not the first to wrestle with the problem of privacy. Twenty-five years ago, one of my predecessors, Elliot Richardson, appointed an advisory board to help the government figure out how to protect the privacy of data in the newly born Computer Age. The report outlined a code of fair information practices - including the need to eliminate secret data bases and give people more control over their personal information.
This report laid the foundation for the Privacy Act, and it established the principle that we must balance our age-old right to be left alone with our desire to fulfill the promise of new technology.
But it is not just government that is working to build practical safeguards for our medical records. Health professionals are speaking out on this issue. Leading academics are also contributing important ideas about protecting privacy. One of them is right here at George Washington University. Professor Amitai Etzioni, just published a book about privacy. In it he notes that reducing health care costs, medical research, public health and quality can all be served, "even if medical privacy is greatly enhanced." Our Administration completely agrees.
That's why the President in his State of the Union address called on Congress to pass legislation this year protecting the privacy of medical records. The President spoke with real urgency - and for good reason. If we don't act now, public distrust could deepen to the point where citizens stop disclosing vital information to their doctors, stop getting needed treatment for mental illness, stop going in for genetic tests, and stop participating in clinical research trials.
Under the Health Insurance Portability and Accountability Act - also known as the Kassebaum-Kennedy law - Congress has until August to pass a comprehensive medical privacy bill. Congress must not let this deadline pass. Protecting medical privacy is a national priority that affects every single American. That means we should act - and we should act through our elected representatives. Still, if Congress fails to live up to its responsibility, Kassebaum-Kennedy gives our Department the authority to issue regulations. And we will. However, that authority is not comprehensive, so what I said last August bears repeating: "We need to finish the bigger job and create broader legal protections for the privacy of medical records in all forms."
I want to be clear: We are not passing the buck to Congress.
We want to work with Congress. That's why in September 1997, we made extensive proposals to Congress for protecting the privacy of all medical records. The proposals we gave to Congress will not only maintain privacy, they'll enhance public health without tying the hands of law enforcement or reducing our ability to fight fraud and abuse. Our recommendations to Congress were guided by five key principles. I'm going to describe each one briefly.
Principle One: Boundaries.
With very few exceptions, a health care consumer's personal information should be disclosed for health care and health care only. Our goal is to make it easier to use information for health care purposes and tough to use it for any other purpose. For example, we recommend that a hospital be able to use personal health information to teach, train, conduct research, provide care, and ensure quality.
On the other hand, employers who get health care information to pay claims must not use that information for non-health purposes like hiring, firing and promotions. The same goes for third parties that are hired to do billing and other services. They must be bound by the same tough standards in the handling of medical records. Even if they don't collect them, they must protect them.
Principle Two: Security.
When Americans give out their personal health care information, they should feel like they're leaving it in safe hands. At every juncture - from doctor to hospital to insurer - there is the potential for both greater care and graver privacy violations. If we are going to block this leakage, Congress must pass a law that says: If you receive health information legally, then you must take real steps to keep that information out of the wrong hands.
Principle Three: Consumer Control.
No one should have to trade in their right to privacy in order to enjoy their right to quality health care. That's why we recommend that Americans be given the power to ask hardball questions: Who's looking at my records? What's in them? How do I get them? How can I change incorrect information?
Let me give you an example of why this is important. According to the Privacy Rights Clearinghouse, a physician in private practice was having trouble getting health, disability, and life insurance. She ordered a copy of her report from the Medical Information Bureau - a clearinghouse used by many insurance companies. The report included information about her heart problems and her Alzheimer's disease.
There was only one problem. None of it was true.
With electronic data, mistakes can multiply and end up on the desks of employers and insurance companies. That's why consumers must be able to know - and control - what is in their medical records.
Principle Four: Accountability
Our recommendation is simple: If you're using medical information improperly, you should be severely punished. We can't just tell hospital workers to stay away from private medical records. We can't just tell private investigators not to lie about their identity in order to see a patient's records. We need to enforce our policy against abuse with tough criminal penalties. That is especially true now that AIDS has created the real - and justified - fear of health care discrimination.
For example, we believe in voluntary AIDS testing. But people will avoid being tested if they don't think their records are secure. The only way to make sure they are secure is to have stiff penalties. As for people living with HIV/AIDS, they don't just worry about their health. They worry that information about their health will lead to assumptions about their sexual orientation - as well as discrimination in jobs and health insurance.
That must never happen. That's why we are fighting to enforce the Americans with Disabilities Act. And that's why we continue to support ending genetic discrimination in health insurance.
But, as we work to protect Americans from breaches of privacy, we must recognize that we have other critical - and sometimes competing - goals.
Which brings me to Principle Five: Public Responsibility.
Just like free speech rights, privacy rights can never be absolute. We must balance our protection of privacy with our public responsibility to support other national priorities. For example, public health agencies use health records to warn us about - and protect us from - outbreaks of infectious diseases. Our Inspector General uses health records to zero in on kickbacks, over-payments and other fraudulent schemes. Researchers have used health records to help us fight childhood leukemia and uncover the link between DES and reproductive cancers.
Other researchers are using health records to make sure that the care patients receive live up to the highest standards of quality based on the best available science. In these cases, it's not always possible to ask for permission, and doing so can create major obstacles to fighting crime and protecting public health.
I'm not arguing for a free pass for research or law enforcement. But I am arguing for balance and reasonable safeguards. Take the case of research.
Institutional review boards already limit access to personal information. These boards determine when it is advisable to waive informed consent. But our new recommendations go further. They require all researchers to carefully protect the privacy of the personal information they receive. And we recommend penalties if they don't.
That's important - not only to protect privacy, but for less obvious reasons too. For example, protecting normal trade relations. Under the European Union's Privacy Directive, if we don't protect health records soon, we might lose the right to share valuable research data with Europe.
All five of these principles are important. But to bring them about we need more than legislation.
We need a major commitment to educating Americans about privacy. Without exception, every health care professional, every insurance agent, every researcher, every public health official, every pharmacist, and yes, every lawyer who comes in contact with health care records must understand why it's important to keep them safe, how to keep them safe, and what the consequences will be for not keeping them safe.
Similarly, we need to educate consumers not just about the privacy risks in this new health care world, but also the rewards. We need to help them understand that in addition to privacy rights - they have responsibilities. That means asking questions, demanding answers and becoming active participants in their own health care.
To help ensure that consumers have the privacy protection tools they need, we're again calling on Congress to pass a comprehensive privacy and confidentiality law. Congress failed to get the job done last year. We will work with Congress. But if they do not act, we will move forward with regulations - not only because the law requires us to, but because it is the right thing to do.
Finally, we need an informed public because, as the National Research Council has pointed out, there are many tough privacy questions that still need answers. Those answers cannot be imposed from the top down. They must be worked out from the bottom up. That means we must have nothing less than a national conversation about privacy.
Since I'm talking to an audience that includes many future lawyers, let me start with some of the unanswered questions surrounding law enforcement. I'll use what I call "Socratic method lite." I'll ask questions, but I won't call on anyone for the answers.
Should auditors be allowed to examine your medical records looking for fraud committed by a doctor? Most people would say, yes.
Should law enforcement officers be able to search through emergency room records looking for someone who has just fled the scene of a crime? Again, most people would say yes.
But, suppose law enforcement officers are looking through insurance records for fraud and stumble upon evidence of an unrelated crime - say drug use. What then?
Similarly, what happens if researchers stumble upon information about someone who may have exposed you to HIV? Is their obligation to your safety? Or the other person's privacy?
What happens if drug companies know you suffer from heart disease and send you information about their new treatment? Is that helpful or offensive? Does your answer change if the disease is depression? What about sexually-transmitted diseases?
These are tough - even wrenching - questions. But they are not going away. And they are not going to be solved overnight. We need to be flexible. We need to be open to all views. And we need a national commitment from government, the health care industry, ordinary citizens - and the legal profession - to find the answers.
I mentioned Stanley Kubrick's 1968 classic, 2001: A Space Odyssey. Sadly, Mr. Kubrick died earlier this month. But when his film first came out over 30 years ago, 2001 really was the future. Not any more. Now it's just two short years away. But what about the next 30 years? Do we face a future of great medical breakthroughs undiminished by misuse of our medical histories? Or do we face a nightmare where seeking health care means giving up our cherished privacy?
The answers depend on all of us working together to make sure that our health care information is held within established boundaries. That our health care information is secure. That those who fail to protect our health care information are held accountable. That each of us retains control over our health care information. And that we figure out how to balance the use of our health care information with other core public responsibilities.
We can do all of this - and when we do, we'll harness today's revolutions in biology, medicine and communications, while breathing new life into Justice Brandeis' profound vision of personal autonomy and privacy. Yes, we can achieve that vision. And if we act today, we will. Thank you.