Initially, it seemed that the privacy rule for HIPAA would protect patients' privacy, but in reality it has opened the door for insurance companies and hospitals to view private health care information. How can physicians and patients protect their privacy from further erosion?
The right of consent, which gives individuals the power to keep personal health information private, has always been recognized under state law and has always been strongly upheld by state and federal courts. When President Bush made the Health Insurance Portability and Accountability Act (HIPAA) the law of the land in April 2001, the Privacy Rule gave every American the federal right to consent to the release of their medical records.
Originally, the HIPAA Privacy Rule did in fact protect every citizen's right to medical privacy, and Bush was lauded as the Privacy President. But behind the scenes, powerful corporate interests worked to turn it into its polar opposite, a "disclosure rule." The Bush Administration opened the door so that the hospital and insurance industries could amend the privacy regulations. Distracted by war, we missed completely the elimination of our precious constitutional right to privacy, the right to be let alone, as the so-called Privacy Rule went into effect.
A massive campaign of disinformation has led the media and public to blind acceptance of the Administration's claims that HIPAA will increase medical privacy protections. In actuality, the amendments to the HIPAA Privacy Rule surgically excised every citizen's right of consent to release their medical records and replaced it with a new doctrine of federal "regulatory permission" (67 Fed. Reg. 53,182, Aug. 14, 2002). This new right of access given to over 600,000 "covered entities" and their innumerable "business associates" allows them to access every American's cradle-to-grave medical records without consent, without notice and without recourse. It is unlikely that any identifiable health information, past or future, will be immune from use and disclosure under this new standard. This technical exception, embedded deep in the several-inch-thick Rule, created a loophole the size of Texas that insurers, employers, banks, state and federal agencies, and all their "business associates" can drive through with truckloads full of medical records. (Final modifications to the Privacy Rule, in the Aug. 14, 2002, Federal Register and the Complete Privacy Rule Text, as modified Oct. 10, 2002, are available at <www.hhs.gov/ocr/hipaa/finalreg.html>.)
The loss of meaningful consent for patients will have far-reaching consequences for medical care in the United States. These consequences have yet to be understood by most physicians, not to mention the public, the media or arguably even the promulgators of this impending disaster. Even if treatment is paid for out-of-pocket or an individual never has another contact with the health care system, their personal health information may now be accessed. The amendments to the HIPAA Privacy Rule grant breathtakingly broad and unprecedented powers to both private corporations and government entities to collect and amass the individual medical data of every person in the United States. Never in history has such a crucial right been eliminated for every member of the population.
The loss of consent will insidiously yet radically alter the physician-patient relationship and destroy the trust that patients must feel to share sensitive and painful medical and mental health information with all health care professionals.
Will there be a physician or patient or consumer-led uprising? Not necessarily. But there will inevitably be a profound shift in patient behavior. People refuse treatment when they believe their diagnosis or prescription records will be seen by employers, insurers and bankers and used to discriminate against them. When patients realize neither they nor their doctors have the right to stop the flow of sensitive medical information out of doctors' offices and other treatment sites, they will fight back. Patients will begin to avoid or leave doctors and hospitals that use their medical records without permission. They will avoid treatment for as long as possible, they will omit sensitive information, or they will provide false information to try and protect themselves.
The elimination of the right of consent will provide fertile ground for a black market in private medical treatment for those who can afford it. The only other guarantee of medical privacy will be to get treatment under an alias. If the doctrine of federal "regulatory permission" is not reversed through litigation or legislation by the U.S. Congress, the currently existing stronger protections for medical records in the states will likely be eliminated in order to bring state laws into conformity with HIPAA. Powerful industries that profit from access to identifiable medical information will introduce legislation in every state to eliminate consent and conform with the limitless disclosures allowed under HIPAA. This has already happened in Texas and Oregon.
Understandably, physicians and patients have been focusing almost exclusively on the hassles and bureaucratic forms required to comply with HIPAA. But the loss of the right of consent in the new Privacy Rule imposes several subtle and several more obvious problems and potential conflicts on every part of the system. While the federal Privacy Rule requires "covered entities" to fully inform patients of their rights under state and common law, this is just not being done. The privacy notices being given to patients across the nation are not only defective, misleading and inadequate, but illegal.
Federal regulations provide the floor for patient privacy, not the ceiling. The Rule still requires providers to give patients notice about how to utilize the greater medical privacy protections contained in state laws. It further specifies that health care professionals should continue to use and follow the longstanding professional codes of ethics for their field or specialty and should develop privacy policies and notices in accordance with these traditional ethical principles. Yet HIPAA legal experts have simply not advised providers of the full extent of their legal and ethical obligations under the Privacy Rule.
Privacy notices typically imply that patients have lost the right of consent, in flagrant violation of the core ethical principle of every medical and health profession. What does your privacy notice say? Does it cite the American Psychiatric Association and American Medical Association (AMA) Codes of Medical Ethics on the right of consent? Most privacy notices do state that patients have the right to request a consent process; but under the federal Privacy Rule, providers have no obligation to provide one. Although privacy notices are required to inform patients that more stringent state laws and medical ethics governing the right of consent actually prevail over the federal Privacy Rule, I have yet to find a single privacy notice that does that.
As a matter of record, defective privacy notices are part of the basis for a lawsuit filed against the U.S. Department Health and Human Services (HHS) on April 10, 2003, in federal district court in Philadelphia. The lawsuit was filed on behalf of the American Psychoanalytic Association and 15 other health and advocacy organizations and individuals. Its main purpose is to overturn the amendments to HIPAA and restore the right of consent (see Citizens for Health et al. v Tommy G. Thompson, Secretary, US Dept of HHS, CA No. 03-2267 [E.D. Pa.]). The lawsuit cites three typical "privacy notices" from national corporations that did not advise patients of the existence of more stringent state and common laws governing medical privacy, did not advise patients about ethics governing medical privacy, and also failed to inform them about how to exercise their rights under state laws. For example, a privacy notice that states "stricter state laws may provide greater protections for people with HIV or AIDS" is totally inadequate. Surely HHS did not intend for each citizen to be forced to become an expert on the medical privacy statutes in their state.
Many hospitals and academic institutions view the right of consent as inefficient, or as a barrier or impediment to treatment or research, rather than viewing the body of laws and ethical principles as necessary and important conditions of effective treatment. But psychiatrists know from direct experience just how far many parents and patients will go to protect their children or their jobs, and to hide or omit information to keep others from knowing intimate personal or family secrets. Our patients will not share any sensitive information at all if they believe it can be accessed by anyone other than the person who is treating them.
The U.S. Supreme Court recognized that effective psychotherapy cannot exist without the guarantee of absolute privacy. In Jaffee v Redmond (No. 95-266 ), the justices rejected any balancing test to weigh the needs of private individuals or entities against the right of patients to have privacy. The court noted that it was in the best interests of the nation to have effective psychotherapy available for citizens, so they affirmed the absolute right to privacy of the communications between patient and psychotherapist by recognizing a federal therapist-patient privilege.
Advocacy for patients and protection of patient privacy are core ethical principles for physicians and most health professionals. Therein lies the moral and ethical guidance our nation needs. Section III in the Preamble of the AMA Principles of Medical Ethics (2001) affirms the physician's role as an advocate for patients, stating, "A physician shall respect the law and also recognize a responsibility to seek changes in those requirements which are contrary to the best interests of the patient." Section IV in the Preamble states, "A physician shall respect the rights of patients, colleagues, and other health professionals, and shall safeguard patient confidences and privacy within the constraints of the law." Both principles are incorporated into the Principles of Medical Ethics of the APA.
Here are some tangible steps you can take to safeguard patient privacy, advocate for the best interests of patients and inform the public:
1) Ask groups and individuals to support the federal lawsuit to restore the right to consent. Contributions can be made to help pay the costs of litigating the lawsuit. Tax-deductible checks can be sent directly to the Appeal for Privacy Foundation, P.O. Box 248, Austin, TX 78767.
2) Look at your own privacy notices. If they do not tell patients the steps they can take to protect their medical records under state laws and medical ethics, they are illegal. Ask your HIPAA expert to prepare privacy notices that follow the law.
3) Keep abreast of national efforts to protect medical privacy. See <www.medicalprivacycoalition.org> and <www.patientprivacy.info> for more information about medical privacy.
4) Encourage your congressional delegation to co-sponsor or draft other legislation to fix the serious privacy defects in HIPAA. Restoring the right to consent is the centerpiece of the bipartisan Stop Taking Our Health Privacy Act, STOHP (HR 1709). Co-sponsors Reps. Edward J. Markey (D-Mass.) and Dana Rohrbacher (R-Calif.) stated:
The purpose of this Act is to restore patient privacy protections essential for the delivery of high-quality health care that were undermined when the medical privacy rule was modified in August 2002. STOHP will restore the core medical privacy protections of the December 2000 medical privacy rule by:
A) Reinstating the patient consent requirement for treatment, payment and health care operations.
B) Returning to the 2000 definition of and thus ensuring that activities typically considered 'marketing,' such as drug companies paying pharmacies to send product recommendations to patients, fall under the rule's privacy protections governing marketing activities.
C) Eliminating the broad 'public health' loophole created by the August 2002 rule.
No single approach to medical privacy can preserve such an important individual right. When the privacy rights of individuals are pitted against corporations and governmental agencies that want unfettered access to the most valuable personal information that exists, eternal vigilance is the only effective response.
References1. American Medical Association (2001), Principles of Medical Ethics, Preamble, Section 3. Available at: www.ama-assn.org/ama/pub/category/4256.html. Accessed July 31, 2003.
2. Citizens for Health et al. v Tommy G. Thompson, Secretary, US Dept of HHS, CA No. 03-2267 (E.D. Pa.).