Agency Information Collection Activities; Proposed Collection; Comment Request; FTC File No. P-125402
This comment is in response to the Health Breach Notification Rule. As the proposed rules apply to electronic health records, I propose creating rules that regulate the creation of All Payer Claims databases, with specific attention to conflicts of interests. As such, the FTC should regulate whether access to confidential medical data in electronic health records by specific vendors is, in itself, a data breach. I've attached a complaint I made to US Health and Human Services Office for Civil Rights earlier this year. In it I describe Milliman's previous FTC violations of Section 607(d) of the Fair Credit Reporting Act. Milliman Inc. is one of the top purchasers of medical records nationally. I would argue that Oregonians' medical data has already been breached by Milliman's business relationship with the Oregon Health Authority (OHA). That's because the OHA uses Milliman for its All Payer All Claims database. States across the nation are creating these databases. New Hampshire also uses Milliman. Vendors of these databases include universities, actuarial companies... and even defense contractors, like General Dynamics Information Technology. http://www.apcdcouncil.org/state/map http://www.apcdcouncil.org/vendors The OHA includes most of the state's health care programs, including Public Health, the Oregon Health Plan, Healthy Kids, employee benefits and public-private partnerships. The OHA, is the covered entity that signed the business associate agreement with Milliman Inc. http://tiny.cc/z87txx Oregon created their All Payer All Claims database without notice and consent of patients. As such, only the very rare person would know their sensitive data is in this database. The OHA and health plans are exempt from the HIPAA privacy rule of notice and consent as they claim a clearinghouse is necessary for operations. This is despite the fact that neither the State or Federal Government subsidizes my Kaiser Permanente plan--which is through my husband's employment. The massive Anthem data breach involved business associate agreements with a reciprocal claims payment network called BlueCard--which was truly necessary for operations. Milliman shouldn't get a free (more accurately, paid) pass into Oregon patient data to enhance their consulting business with companies like Anthem. https://www.anthem.com/provider/noapplication/f1/s0/t0/pw_b130694.pdf In summary, the FTC should revise rules to address conflicts of interest for All Payer Claims databases.