Via Adrienne, a disturbing bit of news: New York City Starts To Monitor Diabetics
New York City is starting to monitor the blood sugar levels of its diabetic residents, marking the first time any government in the United States has begun tracking people with a chronic disease.Under the program, the city is requiring laboratories to report the results of blood sugar tests directly to the health department, which will use the data to study the disease and to prod doctors and patients when levels run too high.
OK, so New York City decides it wants to figure out how well its diabetic population is controlling their disease, which areas have it worst, and that sort of thing. Seems like a fairly reasonable thing to study. There are procedures for doing studies that involve collection of many people’s information - largely focused on making sure that necessary consent is obtained and confidentiality is respected. If they just wanted to study the disease distribution, and collected test results without any identifying data, I wouldn’t have a problem with it. That’s not an unusual thing to do.
But the city also, apparently, plans to inform patients and their doctors when the patients’ test results aren’t up to snuff. Obviously, this means that the city is collecting personally identifying information; otherwise they’d never be able to find the patients. I sincerely hope that the lack of any information about informed consent to this monitoring was an omission by the newspaper and not the city. But given that the article quotes lawyer Robin Kaigh saying that “they are not even required to tell you this is happening,” I’m skeptical as to whether there is any consent involved. Admittedly, I’m not a lawyer and spend only as much time with HIPAA regulations as I need to so they’ll let me in the hospital, but I can’t see how that isn’t a violation of some sort of privacy regulation. And if it’s not, it should be.
Beyond that, I don’t even see the point of this. Presumably, people who are going to the labs to have their recommended tests done are managing their illnesses. I know medical paperwork is notoriously awful, but it seems to me that most of the time, when people have lab tests done, they’re sent there by their physicians, who get a copy of the results, and they fill out a form with their address, so they get a copy as well. Obviously this doesn’t always work out. But if the city wants to try and improve this process, perhaps it could require that a physician’s address be provided before any test is done, or patients be given a number to call to get their results with no voicemail runaround, or whatever it thinks might streamline the communication of results. Having the city insert itself into the process seems like the worst possible idea - the only thing that could be more difficult than dealing with health-care red tape is dealing with government red tape on top of it.
Besides, I’d imagine that the people who are going to the trouble of visiting the lab and getting poked have some idea of how their disease is progressing, and their doctors probably do too. The people who “don’t take it seriously” or “are not paying good enough attention” are most likely the ones who aren’t visiting the labs.
Hmm. I bet the next step will be to identify people with diabetes (once you start yoinking people’s private health information, it won’t be that hard) and start harassing them to get their tests done. It sounds excessive, but then, once we wouldn’t have thought that public health departments would use intrusive tactics justified by the need to control epidemics for diseases that aren’t even communicable.
January 18th, 2006 at 4:05 am
Unfortunately, the HIPAA “medical privacy” rule allows many, many entities including law enforcement, health researchers, federal and state governments, other health care providers that treat you besides that doctor, insurers, and countless others access to medical information without patient consent. This list of disclosure without patient consent includes public health departments. When you go to the doctor’s office, read the form you are given. It is marked “Notice”, not “Consent”. Under the HIPAA medical privacy rule, they are now telling you who will see your medical information, rather than asking you. The form you are asked to sign is just to show you were given “notice”, you are not giving “consent. It is quite possibly one of the biggest examples of the public being told they are being given something that is going to protect their privacy, when in reality it allows by law many many more entities than ever before to have legal access to patient medical information without patient consent. For further information go to http://www.forhealthfreedom.org and read the “Privacy” section. You can contact me through that site.
To the extent that state law is more stringent than and more protective of privacy than HIPAA, then state law will prevail over the HIPAA medical privacy rule. But in any event, under HIPAA, public health departments are allowed such access. In NYC, the NYC Dept. of Health has passed the resolution to have all labs report patients’ a1c blood test results to the NYC Dept. of Health without patient knowledge or consent and that information will be placed on a database/registry, again without patient knowledge or consent. So much for privacy!
Beginning in the S. Bronx, the patient’s doctor will then be contacted by the Dept. of Health to discuss the patient’s treatment plan, drugs, exercise, etc. The rest of NYC’s blood test results will be reported to the NYC Dept. of Health as well, but contacting the patient’s doctor has been put on hold at this time. My information comes directly from a conversation I had with Dr. Diana K. Berger who heads the Diabetes Prevention program at the New York City Department of Health. This is a landmark step– for a city to track the private medical informaton of a patient with a non-communicable disease who poses no threat to others; surely other cities will follow NYC’s lead. In addition, diabetes is being tracked now, surely cardiac disease and other conditions may be tracked in the future. It is a profound invasion of privacy! In addition, with such private medical information on a database, it may be subject to the same hacking and serious invasions of privacy that happened in the financial sector with Choicepoint and Bank of America this past year.
Robin Kaigh, Esq.
January 18th, 2006 at 2:10 pm
I’m admittedly ignorant, but is the test they run at the doctor’s office for blood sugar only show blood sugar? (As opposed to the self testing at home)
It seems as if the gov were given a whole slate of test results (perhaps to detect other diseases), there would be quite a few “illegal” activities you could detect with it.
January 18th, 2006 at 3:56 pm
Robin Kaigh, thanks very much for the comment! As you noticed, my knowledge of HIPAA regulations is sketchy at best, so I really appreciate the information. As to your last half-paragraph or so, I absolutely agree. It’s outrageous.
February 2nd, 2006 at 12:53 pm
The mandatory reporting of A1C test results raises significant legal implications as to a patient’s constitutional right to privacy. The Supreme Court has recognized that the “zone of privacy” involves two distinct types of privacy interests, which include the “individual interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions.” Whalen v. Roe, 429 U.S. 589, 599 (1977). The Supreme Court has also observed that it is the role of courts to review legislative action “enacted to protect the public health, the public morals or the public safety, [that] has no real or substantial relation to those objects, or is, beyond all question, a plain, palpable invasion of rights secured by the [Constitution] …” Jacobson v. Massachusetts, 197 U.S. 11, 31 (1905). Since then, lower courts have interpreted this standard and stated that although a patient’s right to privacy in their medical information and records is not absolute, “[t]he court must determine whether the societal interest in disclosure outweighs the privacy interest involved. To avoid a constitutional violation, the government must show a compelling state interest in breaching that privacy.” Doe v. Borrough of Barrington, 729 F. Supp. 376, 385 (1990).
While the invasion of privacy may be easily defended in the case of a public health threat, such as presented by infectious or communicable diseases, no such threat exists with diabetes, therefore it is unclear how the courts would decide such a case.
However, some reporting issues - and therefore, some HIPAA issues - are almost certain to occur as a result of the NYC plan. For example, the reporting requirements only apply to patients who are residents of the 5 boroughs of New York City. However, it can be difficult for a laboratory to known for certain where a patient resides, especially given the fact that requisitions may not include a patient’s home address. In these cases, laboratories will almost surely inadvertently report to the Department test results based on the location of the ordering provider’s office for individuals who are not residents of New York City, therefore residents of other states like New Jersey or suburban counties outside of New York will likely have their data shared as well. As a result, clinical laboratories could potentially be subject to allegations of HIPAA violations for disclosing protected health information that is NOT subject to the NYC Health Department’s proposed requirement.
February 13th, 2006 at 7:13 am
By the way, we have started a website for more information about this plan. It can be found at http://www.stopnyca1ctracking.org. I encourage anyone interested in this issue to visit the site.