Whose Business Is It Anyway? The Compelling Need for Privacy of Medical Records in the Workplace

 The ever increasing desire of industry to contain costs in the medical management arena, as well as to gather information about current employees and new hires, and the technological realities of the millenium are now creating new battle lines for workers over the privacy of their medical, genetic, and other personal records. Computers make it easier to store, collect, share and analyze all kinds of data. The attempt to formulate intervention in this arena has placed both federal and state governments as contenders in the management of the confrontation, which may ultimately affect the employment status of every worker in the nation.

The Federal Privacy Commission

In 1977 in an effort to establish a national policy conserving personal privacy, the Federal Privacy Protection Commission was established. Under the chairmanship of Professor David F. Linowes, now Boeschenstein Professor of Political Economy and Public Policy Emeritus at the University of Illinois at Urbana/Champaign, the Commission recommended that businesses voluntarily adopt privacy safeguards in employment record-keeping practices. In a survey conducted by Professor Linowes almost 20 years later, it was reported that there was widespread use of confidential information by employers for employment-related decisions. Thirty-five percent of companies reported that they used medical records to make decisions about personnel. Additionally, while 93% of the companies obtained written permission from the individual when seeking information from a third party, only 32% of the corporations had a policy of informing the individual worker of the types of information sought, only 25% advised them of the techniques used to collect the data, and only 29% disclosed the sources. Furthermore, 70% of the corporations responding to the Professor’s survey had a policy concerning which records were routinely disclosed when inquiries were made by government agencies. Seventy percent of the companies collecting the data disclosed personal information to credit grantors, 47% disclosed it to landlords and 19% provided the data to charitable institutions.

The Federal Mandate

The federal government, driven by several factors including the globalization of the U.S. economy as well as by Congressional mandate, has embarked upon a path to achieve uniform health care data standards and health care information privacy. The European Community has already enacted privacy protection laws. In 1998, the European Union mandated that foreign firms desiring to do business with their European counterparts must also have privacy laws enacted. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), recognizing a need for limitations on the distribution and dissemination of medical records, mandated legislation for health records privacy by August 21, 1999. HIPAA also requires the Secretary of Health and Human Services (HHS) to issue regulations to protect the privacy of individually identifiable health care records transmitted in standard transactions. The federal regulations are required to be finalized by February 21, 2000. HIPAA also itemizes severe penalties for the misuse of a health identifier and for wrongfully obtaining or disclosing individually identifiable health information. The penalties, which increase by the type of offense, may be as much as $250,000.00 and ten years in prison. 

The lucrative market for obtaining this information is rapidly expanding and many vendors of this information exist. The American Insurance Services Group (AISG) in New York maintains INDEX, which is a national clearinghouse for bodily-injury claims with a database of over 50 million claims. INDEX services public and private self-insureds, third party administrators, state workers’ compensation funds and a number of health insurers. It has been reported that the National Insurance Crime Bureau (NICB) has already begun to construct an "all-claims" database to hold property and casualty insurance claims, without enunciating appropriate privacy protection. The Medical Information Bureau (MIB) collects medical data concerning individuals. Additionally, this entity collects credit history information, driving record information, criminal activity, and data concerning participation in hazardous sports. Companies belonging to MIB account for 99% of the individual life insurance policies and 80% of all health and disability policies issued in the United States and Canada. In 1995, the Federal Trade Commission’s Bureau of Consumer Protection negotiated an agreement with MIB to voluntarily abide by the Fair Credit Reporting Act (FCRA) requirement that individuals be informed when a MIB report was utilized in any part of an insurer’s decision to deny coverage or to charge a higher rate. The insurance carrier, using the MIB’s report, must provide notice to the individual when an adverse decision is rendered in an application for insurance coverage. MIB will provide information to individuals, even if they have not been denied coverage, for an $8.00 retrieval fee. Individuals may write to P.O. Box 105, Essex Station, Boston, MA 02112 and enclose the appropriate request for disclosure form, which will require the signature of the individual requesting the records.

Congressional attention was directed towards privacy rights following the ill-fated 1987 Supreme Court confirmation hearings for Robert Bork. At that time, a newspaper reporter obtained the video rental record for Bork’s family in an attempt to uncover evidence of viewing movies of questionable morality in an effort to discredit Bork’s nomination. Congress, at that time, quickly passed the Video Privacy Protection Act of 1988 (18 USC §2710). Ironically, Bork’s nomination was rejected in large part because he failed to support the right to privacy

The States Jockey For Position

In order to avoid Federal preemption in the area of medical privacy, State agencies have been attempting to develop a Model Act. The members of the National Association of Insurance Commissioners (NAIC) adopted the Health Information Privacy Model Act on September 14, 1998. The NAIC hopes to present the Model Act to the legislators of all fifty states in an effort to avoid Federal enactment of medical privacy legislation. NAIC President and North Dakota Commissioner Glenn Pomeroy stated, "We have sought to write standards that will not cripple the flow of useful information, will not impose prohibitive costs on insurance carriers, and that will not prove difficult to implement in a world that is rapidly changing from paper to electronic records. Pomeroy also indicated the need for the information obtained by insurance companies to be used only for "legitimate purposes." 

The NAIC proposal is a rather limited attempt to solve the wholesale violation of the privacy of the American worker. It requires insurance carriers to develop and implement written policies, standards and procedures for the management of health information. The Model Act attempts to guard against the unauthorized collection and disclosure of protected health information by the insurance industry. It charges insurance carriers with the responsibility of making its health information policies, standards and procedures available to the Commissioner of Insurance of each individual state for review. It provides the right to access protected information by an individual no later than 20 working days after the receipt of a request for the medical information from that individual. Insurance companies would be limited to obtaining, using, or disclosing protected information through the use of a valid authorization that is no older than 12 months. The NAIC proposal permits disclosure of protected health information to federal, state or local governmental authorities as required by law. A disclosure may be made by the insurance company for scientific, medical and public policy research, but the carrier is required to keep a log of the disclosure within a prescribed time period.

There are certain sections of the NAIC Model Act which restrict the liability of the insurance carrier, including the provision that the carrier is not responsible for the acts of its agents or third parties that it contracts with in obtaining medical data. Additionally, the Act does not address civil liability against the carrier by an individual, but rather leaves that option available to the individual States to consider when enacting their own version of the Model Act. Sanctions enumerated in the NAIC uniform proposal include a civil penalty of not more than $10,000.00 for each violation and not in excess of $50,000.00 in fines for multiple violations. A civil penalty could be assessed by the court in the amount of $250,000.00 if it is found that the violations of the Act occurred with sufficient frequency to constitute a general business practice. Criminal penalties are enumerated in the NAIC proposal as follows: $50,000.00 in fines and imprisonment for not more than one year, or both. Additional higher penalties are proposed in the Act for offenses committed under false pretenses or with intent to sell, transfer or use the protected health information for malicious purposes.

Even though the insurance industry has been effective in including several proposals in the NAIC draft, Bruce Wood, Assistant General Counsel of the American Insurance Association (AIA), continues to be critical of the Model Act. Wood is fearful that "the ability of a workers’ compensation carrier to exchange protected health information without an authorization might be interpreted too narrowly." The industry is also fearful that the carrier’s claims investigation files may be disclosable and may hinder the carrier’s ultimate defense of a claim, as a result of what it interprets as an overly broad definition of "health information."

On both State and Federal levels, Labor continues to assert that workers should not be required to surrender their rights to privacy, respect and dignity in connection with their personal medical information as a condition of employment. James N. Ellenberger, Assistant Director, AFL-CIO, Department of Occupational Safety and Health, commented that the NAIC proposal did not provide adequate recourse to those "workers who lose their jobs or who are otherwise discriminated against due to disclosure or misuse of personal health information." Ellenberger points out that the victimized worker "would have no protection and no recourse under the present version of the Model Act." The AFL-CIO is concerned that workers’ compensation insurance carriers may be treated differently under the NAIC Act and that these companies would be permitted to disseminate private health information where other insurance carriers would be prohibited from doing so.

Mike Rucka, Chairman of the Workplace Injury Litigation Group (www.wilg.org), a national organization of attorneys representing injured workers, supported the efforts of organized labor to protect workers’ rights. "Most significantly we have been working with the AFL-CIO on the issue of privacy protection. This area is probably critical to the ability of our clients not to have their medical records placed in perpetuity in the files of all insurance carriers and employers." Scott Meiklejohn, President of WILG, has further stated: "The need for medical privacy legislation is clear. Especially in the area of workers’ compensation, the abuse of the re-release of the records is unacceptable. Legitimate uses of the medial information should be preserved; however, those who use it to chill the reporting of claims or to punish those who do must not be allowed to continue. These records cannot be used as a sword against those seeking legitimate benefits."

The Unique Heath Identifier

At the Federal level, the National Committee on Vital Health Statistics (NCVHS) has been holding hearings and accepting recommendations and proposals at the direction of the Secretary of Health and Human Services (HHS) in order to establish a unique health identifier (UHID) for individuals which places even more urgency on the need to establish adequate privacy protection. 

In order to achieve uniform health data standards and to maintain health information privacy, which can be supported by an efficient electronic exchange of information, the NCVHS has been attempting to establish guidelines for an identifying system for individuals, employers, health plans and health care providers for use in a generalized health care system. Due to the increased mobility of patients, as well as the aging population, additional pressures have been created for the integration and maintenance of health records that include vast quantities of information at multiple locations. In order to assure the continuity of care, accurate record-keeping, and effective follow-up in preventive care, a proposal is being drafted to establish a UHID system. In order to maintain confidentiality and privacy, a computer friendly algorithm or a biometric identifier, i.e. retina or other biological identification, has been suggested. A question exists as to whether or not a link should be established to already existing Social Security numbers which could be used for potential reference for credit and financial data, employment information, consumer behavior data and a wide range of other non-medical reasons. Those wishing to link the data to already existing Social Security numbers cite the effectiveness of injury prevention and environmental workplace exposure records which would provide clinical and public health research efforts with essential data.

States Begin To Hedge Their Bets

In a frenzy of activity designed to meet the upcoming challenges of the regulation of medical records, the individual States have taken action to both expand and restrict dissemination of medical information so that they will be in the best position should Federal legislation allow some State regulation. Several states, including New York (c.545, L.1998), have enacted restrictions to the disclosure of workers’ compensation records. A bill was introduced in the State of California (SB 1430) which would prohibit the release of "individually identifiable information" in the files of the individual’s workers’ compensation claim. 

While genetic testing has become an important and beneficial tool in the treatment and prevention of disease, the potential for discrimination in the workplace for both the worker and his or her family has become enormous. The ability to predict disease raises an entire spectrum of realistic concerns from job security to insurability. The release or linkage of this material to peripheral databases will place an enormous amount of sensitive and private information into the public domain if not regulated. A handful of States have enacted separate laws to regulate information obtained from genetic screening or testing.

The actions of the State of New Jersey reflects the problems encountered by the States in attempting to deal with these serious issues. The result is a chaotic, non-comprehensive and inadequate approach. Outwardly New Jersey presents a cosmetic appearance of protectiveness but realistically it is not moving in that direction as it is taking additional steps to expand the unrestricted dissemination of medical records. The State of New Jersey already has a statute that prohibits dissemination of workers’ compensation records to non-parties, but it does not limit or restrict the use or dissemination of records obtained by an employer or insurance company in the investigation of a claim. N.J.S.A. 34:15-128. Since some employers are self-insured, information can flow freely from the claims unit to other departments.

On the surface, New Jersey has recently further restricted dissemination of archived information by requiring the petitioner to sign an authorization for the release of medical information, but it also offers an alternative means for parties to obtain this same information, namely the judicial process, by way of subpoena. On the other hand, New Jersey is imposing a mandatory requirement for the submission of Social Security numbers for "recordkeeping purposes and cross-matches" to the Social Security Administration, Workforce New Jersey, Temporary Disability Insurance and others (30 N.J.R. 3588, Oct. 5, 1998). While New Jersey is now redacting Social Security numbers from some of the documents being released, it has conversely requested additional medical information, without restriction of disclosure or dissemination, that can be made part of the public record in total disability claims. A rule change has been proposed to require injured workers to submit copies of all "treating physician reports" and excerpts from hospital records, as well as information concerning retirement, disability and Veterans Administration benefits, when applying for State Second Injury Fund benefits. The alleged intent of these submissions would be to verify pre-existing medical conditions for the purpose of apportioning workers’ compensation disability benefits between the State Second Injury Fund and the last insurance carrier on the risk at the time of the accident (30 N.J.R. 3154) (Sept. 8, 1998). 

It would appear that the wholesale acquisition of medical records without restrictions on dissemination may be construed as a violation of privacy and may be calculated as an activity to harass and jeopardize the petitioner and his or her family. Essential need should be demonstrated by the party that is requesting this medical information and restriction should be placed upon its use and dissemination. Court supervision should be imposed through the utilization of Protective Orders to guard against unintended use according to the Rules of the Division of Workers’ Compensation in a manner consistent with the social remedial intent of the legislation.

Congress Attempts to Act

While a uniform federal law appears to be the best approach to achieve a valid level of privacy protection, our legislators have yet to focus on a single route to achieve this goal. The basis of this right to privacy is well-founded in the United States Constitution. Justice Douglas wrote "…that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance" and that they give rise to the "right of privacy." Griswold v. Connecticut, 85 S.Ct. 1678 (1965).

In Congress, two major pieces of legislation have been proposed. The Medical Records Privacy Act of 1997 (S.1368) is a comprehensive and carefully crafted bill that would insure privacy protection while allowing the idealistic goals of a uniform program to be achieved. It was introduced on November 4, 1997 by Senator Patrick Leahy (D-Vt) and Senator Edward Kennedy (D-Mass). Senator Leahy stated, "Americans strongly believe that their personal, private medical records should be kept private. The time-honored ethics of the medical profession also reflect this principal. The physicians’ Oath of Hippocrates requires that medical information be maintained ‘as sacred as secrets.’" While the information age offers endless possibilities, Senator Leahy believes that unless we are vigilant, the new technology can overrun our privacy rights. The Leahy/Kennedy proposal requires safeguards to ensure privacy of medical information and requires that individuals have prompt access to their own records and also have the opportunity to amend them. It establishes a specific program on how healthcare providers must notify individuals of their rights and establishes rules to ensure individual consent. It limits disclosure of information and allows for segregation of particularly sensitive portions of the medical records, including psycho-therapists’ notes, and retains State law when those restrictions are mandated. Furthermore, it permits civil actions by individuals who have been knowingly or negligently violated under the terms of the Act.

A more pro-industry proposal was offered by Senator James Jeffords (R-Vt) on April 2, 1998. The Jeffords proposal, The Health Care Personal Information Non-Disclosure Act of 1998 (S.1921), makes it mandatory for the participants of healthcare plans to provide authorization for release of their records to their insurance company. If the individual fails to execute the disclosure authorization, termination may result. It also allows healthcare providers to deny individuals access to their own records if the disclosure would cause "substantial mental harm." Finally, the Jeffords proposal fails to segregate psycho-therapists’ notes from exempted records.

The violation of privacy is a contagious disease. From a single incident it can spread in epidemic proportion throughout the veins of the entire spectrum of the electronic network. Medical record privacy, once violated in the workplace, will proliferate with an Orwellian fervor throughout every aspect of a worker’s life. The time is now to legislate a cure for this disease.

By Jon L. Gelman, Attorney at Law
Cite as: 150 N.J.L.J. 592 (November 16, 1998)
---------------------------------------------------- 
This article is reprinted with permission from the Fall 2001 issue of the Workers First Watch. (c)2001