To members of the legislature’s Public Health Committee regarding H.B. 5290, An Act Concerning the Office of Health Strategy and Raised Bill S.B. No. 16, An Act Implementing the Governor’s Budget Recommendations Regarding Public Health:
Thank you very much for this opportunity to express alarm that you may continue to vote for Connecticut citizens to have their identified medical records seen by scores of people besides their providers without patient consent. People think that their lifetime, intimate medical information is private, not just confidential at best. It is truly amazing that medical records are considered less important than are phone records to be protected by the 4th amendment.
With H.B. 5290 and S.B. 16, Connecticut continues to override patient privacy rights in order to get data to determine Connecticut’s health care policies.
The umbrella of following HIPAA is used to deflect from appreciating the serious lack of privacy for us all, because HIPAA largely provides for confidentiality, not privacy. However, insurers, hospitals, providers, governments, and the private technology companies which process identified data from the outpatient treatment facilities (S.B. 16, Sec. 94 (b)), from the identified Connecticut Prescription Monitoring Program Reporting System and from the Health Information Exchange, etc. are happy with HIPAA because it makes it easier for them to move identified data around without needing patient consent.
These bills increase the taking and disclosure of identified health information along with de-identified information (but re-identification is still possible). H.B 5290, Sec. 40 and S.B. 16, Sec. 94 (b)(c)(d) now call for the ability to release identified hospital outpatient facility records (with data from patient medical records) to researchers, state agencies, federal agencies, the attorney general, the comptroller and to other states too!
Further, is it the intention also to be able to release the rest of the identified medical information already going to the Department of Public Health and now to the Office of Health Strategy? This includes identified hospital discharge summaries, identified Tumor Registry data, identified infectious disease data with labs, and identified newborn DNA (S.B. 16, Sec. 2). (Is the whole genome recorded and how long are the DNA data kept in state computers and is parental consent obtained for it?)
Will the Office of Health Strategy employees be able to carry out the mandates of H.B. 5290 and S.B. 16 to set health care policy and monitor provider and patient behavior, without actually looking at identified patient records including their electronic medical records, their health claims data in the All-payer Claims Database and their pharmacy/medication usage? Is there a legislative commitment to mask patient identities when the data is studied?
S.B. 16 (Sec. 58 (b)(5)) says that the All-Payer Claims Database, also taken without consent, will be released in de-identified form (as was promised when it was created), but does that mean that the OHS itself will only see de-identified data too?
Connecticut is in the process of setting up a Health Information Exchange for all of a person’s medical data to be managed by a private company. Are we expected to trust that the State of Connecticut can prevent our data from being hacked across its systems and that its audits can prevent any misuse of our data against us or our newborns?
And most importantly, will we be allowed to opt-out of including our whole medical record or parts of our medical record from inclusion in the computer system of the Exchange to which the Office of Health Strategy will have access? Or will be forced to trade our privacy in order to receive health care as is happening now with many of the electronic medical systems across the state?
Susan Israel is a physician from Woodbridge.