What Privacy?

The federal medical privacy rule went into effect on April 14, 2003. It gives us no reason to celebrate.

Despite the flurry of privacy notices and irksome new obstacles to normal patient-doctor interactions, private medical records have not been protected. Instead, the federal government has authorized 600,000 clinics, hospitals, insurers, and data processing companies to dig deep into the private lives of more than 280 million individuals. For the most part, patients won't be allowed to know who's doing the digging.

State legislators now hold the key to protecting patient privacy. Stricter, more privacy-protecting state laws will take precedence over the federal rule. Topping the list of privacy violations in the federal rule--and thus topping the agenda for state legislators--are:

No Patient Consent Requirement

Patient-identifiable health information can, and at times must, be disclosed without patient consent for a broad list of activities including public health surveillance, federal review of compliance, government databases, payment, treatment, health care operations, government oversight of the health care system, judicial proceedings, law enforcement, abuse or neglect reporting, military activities, national security, some medical research, workers' compensation, and organ donor solicitation activities.

False Assurance of Audit Trail

The federal rule requires that inquiring patients be given an accounting of the disclosures and uses of the data an institution has released. However, the accounting need not be patient-specific and exceptions to the rule abound. Disclosures for payment, treatment, and health care operations--a group of 18 broadly defined activities--need not be reported. "Business associates" that receive data for contracted work will go unnamed. And disclosures to the U.S. Department of Health and Human Services (HHS) for the purpose of validating, monitoring, or enforcing compliance with the rule will not be part of any disclosure report. If ABC law firm, XYZ credit agency, YourData corporation, or the federal government obtain medical record information, the patient need never be told.

Reporting Loophole

Most public health and researcher use of medical record data will be done under the radar of patients. If a "limited data set"--the entire medical record minus 16 identifiers--is used, no report to patients is required. HHS acknowledged that patients can still be identified using the limited data set, but insists a data use agreement will prevent such identification. However, violations of these agreements--requirements that patients not be identified or contacted--cannot be pursued legally by HHS. Government agencies and most medical researchers are not under the jurisdiction of the rule.

Psychotherapy Notes Not Protected

Psychotherapy notes contain not only private statements expressed by patients, but also the thoughts and conclusions--right or wrong--of the therapist. HHS acknowledges the special privacy concerns of psychotherapy notes, but does not exempt them completely from disclosure. A therapist is permitted to disclose the notes for training programs, legal proceedings, government oversight of the therapist, and to protect the health and safety of a person or the public. And in a clear-cut case of irony, federal officials from the U.S. Department of Health and Human Services can read the notes while they evaluate the therapist's compliance with the privacy rule.

Marketing and Fundraising

The privacy rule will not stop unwelcome phone calls and uninvited solicitations for contributions. Fundraising and marketing are not prohibited by the federal rule. Practitioners, clinics, hospitals, and insurers who hold patient data may engage in fundraising using the patient's name, address, age, other demographic data, and treatment dates. The rule requires that patients be provided with a way to opt out of fundraising, but there is no absolute prohibition against continued solicitation after the patient opts out.

Marketing is permitted if the solicitation is provided in a face-to-face conversation between a patient and his doctor or insurer. Promotional gifts of nominal value may also be sent to the patient. This means a diaper company could contract with a pediatric clinic to send expectant moms a small sample of their diaper product. Clinics, hospitals, and insurers also are allowed to engage in health care operations that include contacting patients "with information about treatment alternatives."

Federal officials have declared private medical records to be public property. The rule makes medical records available without patient consent to individuals and organizations that claim a need or a right to them. That the term "privacy" is not even one of the 61 terms defined in the rule provides further evidence that, despite its title and statements to the contrary, the rule was not written to protect patient privacy. It was written to share patient data. It's about to do a very good job.

Public health nurse Twila Brase is president of Citizens' Council on Health Care. http://www.cchconline.org

For more information ...

Summary of the HIPAA Privacy Rule. Summarizes the key elements of the federal privacy rule, aimed at addressing the use and disclosure of protected health information by organizations subject to the rule. (U.S. Department of Health & Human Services, May 2003, 25pp.)

Go to www.heartland.org and use PolicyBot to search for document #12261