I emailed HHS about 2002's proposed changes to extant medical privacy regulations--about individual medical records being subject to data trawling--and got back a response that made me think I'd emailed a trash can (I doubt my comments made it into the Federal Register). But here's what I sent: the first two paragraphs just say that since hhs.gov's web link for e-commenting wasn't working, I was emailing my e-comments.

Date: Sat Apr 13 17:54:13 2002
To: hhs.mail@hhs.gov
From: claudia <msdata@srv.net>
Subject: I can't get your e-comments page to load so here are my comments
Message-Id: <f05100300b8de7e050390>
I found "DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary, 45 CFR Parts 160 and 164, RIN 0991-AB14, Standards for Privacy of Individually Identifiable Health Information, AGENCY: Office for Civil Rights, HHS. ACTION: Proposed rule; modification" @ http://www.hhs.gov/ocr/hipaa/propmods.txt. Besides providing me with the text of the proposed modifications, this site told me to go to http://www.hhs.gov/ocr/hipaa/ to make a public comment; I did so; t he site told me to go to http://erm.hhs.gov:9567/nprm/comments.cfm to make a public comment; I tried to do so: I say "tried" because, in the half dozen or so times I tried, the bottom of my browser window said I was receiving the file http://erm.hhs.gov:9567/nprm/error.cfm; the page for making a public comment invariably failed to load.

Consequently, since I am a citizen and entitled to make a public comment--and have made a good faith attempt (I even tried loading the page for making a public comment using different browsers)--I have appended what I consider to be my public comment to the proposed modifications below the ** line after my name.

Yours truly,

claudia krenz

Claudia Krenz, Ph.D.
Box 7050
Nikiski, AK 99635


Speaking as a citizen, my concern about the proposed modification is that although it establishes procedures for streamlining the dissemination of information identifiable at the level of the individual citizen, it fails to provide mitigation measures: with streamlining the collection of information will inevitably come the greater accumulation of inaccurate information. This is an unintended but certain adverse impact of the proposed modification (as is its antithesis, one of the unstated goals of the proposed modifications, the accumulation of accurate information). The accumulation of the former, the uintended consequence. is because "medical" and "accurate" cannot reasonably be thought synonymous.

Not explicitly addressing this adverse impact dooms the individual citizen to being ghosted by a flotsam of more and less accurate medical information. The mechanism by which the individual citizen would be adversely impacted is seen in the historical example of Usenet's "urban legends," recurring stories like "the modem tax" that are discredited ... only to be resurrected at some later time by someone not in on the previous discussions ... and time again.

To mitigate this unintended but certain (if implemented) adverse impact of the proposed modifications, the proposed modifications should stipulate that a) covered entities transmitting medical information identifiable as that of an individual citizen should RECORD said transmission, which should itself, dated, become part of the individual citizen's medical record (such record keeping would not be onerous in the context of an individual citizen's health management) and b) the individual citizen has the right to examine and comment on his/her medical record, with those comments themselves becoming a formal part of that record (what applies to credit reports should apply to medical records, only more so; additionally, M.D.s typically don't want patients seeing their medical records let alone having copies of them).

If the proposed modifications can guarantee the accuracy of information accumulated as the inevitable result of streamlining the process of its collection, then its language should state so explicitly.

To reduce the number of situations where covered entities' fiduciary interests come into conflict with the individual citizen's right to privacy, covered entities should be expressly PROHIBITED from "generic searching," e.g., sending out spiders or trawling databases for anyone fitting a particular demographic definition, e.g., "married and 62." Covered entites should also be prohibited from selling and purchasing medical information identifiable at the level of the individual citizen.