The Final Federal Medical Privacy Rule:
By Sue Blevins and Robin Kaigh1
February 8, 2001
Americans are being told they have a new right to
medical privacy under the final federal medical privacy
rule published in the Federal Register on December
28, 2000. However, the following "myths and facts" summary
shows that the rule does not provide true medical privacy.
Rather, it actually weakens individuals' ability to
restrict access to their medical records. At the same
time, the rule increases the federal government's power
to access individuals' personal health information,
without patient consent.
The following summary is based on the HHS Fact Sheet
(published December 20, 2000) announcing the new rule,
national newspaper articles, and a review of the final
rule published in the Federal Register.2
Citations to specific key pages are provided to help
the public, media, and policymakers understand the serious
implications of the rule.
Myth #1: The final federal medical privacy rule
provides Americans a new federal right to medical privacy.
Fact: The rule creates a massive federal mandate that
requires every doctor and other health care practitioner
to share patients' records with the federal government--specifically
the U.S. Department of Health and Human Services (HHS)--without
The federal government even has the right to access
an individual's psychotherapy notes in order to monitor
compliance with the new rule.4
Ironically, this federal mandate will be enforced by
HHS' Office for Civil Rights.5
Myth #2: Individuals are guaranteed the right to
restrict others from accessing their medical records
without their consent.
Fact: Under the rule, Americans' medical records can
be disclosed for many broadly defined purposes without
patient consent, including, but not limited to, the
- Oversight of the health care system
- FDA monitoring (including dietary supplements)
- Public health surveillance and activities
- Foreign governments collaborating with U.S. public
- Research (if an IRB or privacy board waives consent)
- Law enforcement activities
- Judicial and administrative proceedings
- Licensure and disciplinary actions.6
Moreover, once individuals' medical records are disclosed
to a third party (other than a business associate),
the final rule no longer protects that information.
The rule specifically reads:
". . .[O]nce protected health information
leaves a covered entity the Department [HHS] no longer
has jurisdiction under the statute to apply protections
to the information."7
Also, there is nothing in the rule that prohibits
the federal government, state governments or private
parties from compiling large databases of patient information,
for the purposes listed above, without patient consent.
The rule does not apply to information that is collected
or stored in databases without consent prior to February
26, 2003 (when most providers are required to comply
with the rule). It states:
"We do not require covered entities with
existing records or databases to destroy or remove the
protected health information for which they do not have
valid consents or authorizations. . ."8
Myth #3: The final rule ensures that consent is
Fact: Health care providers and institutions may refuse
to treat patients if they won't give consent to share
their medical records.9
Patients are not guaranteed the right to restrict access
to their records for treatment, payment or health care
Additionally, individuals' medical records can be used
by any doctor--without individuals' consent--to treat
other patients. The rule states:
"A plan can disclose protected health
information to any health care provider to assist the
provider's treatment activities; and a health care provider
may use protected health information about an individual
to treat another individual."11
Myth #4: Americans will be able to get a full
accounting of when and to whom their medical records
have been disclosed.
Fact: Individuals will receive only a limited
accounting of when and to whom their medical records
They will not receive an accounting of when and to whom
their records were disclosed for most health care activities,
including activities related to treatment, payment,
or health care operations (a broad definition encompassing
Myth #5: The final rule provides serious penalties
for breaches of medical privacy.
Fact: Patients have no guaranteed recourse other than
the right to complain.14
They can complain to their health care providers or
institutions about privacy breaches. They also can complain
to the U.S. Secretary of Health and Human Services.
However, the HHS Secretary does not have to investigate
the complaint. The final rule reads that the Secretary
"may," not "shall," investigate complaints.15
Individuals do not have a private right of action
(they can't sue) if their privacy is breached under
the final medical privacy rule.
Myth #6: All individually identifiable health information
held or disclosed by health care organizations is covered
by the final regulation.
Fact: The final rule does not cover the procurement
or banking of blood, sperm, or body tissue. In fact,
the final rule states:
". . .[T]he procurement or banking of
organs, blood (including autologous blood), sperm, eyes
or any other tissue or human product is not considered
to be health care under this rule and the organizations
that perform such activities would not be considered
health care providers when conducting these functions."16
Because blood, sperm and body tissue includes genetic
information, lack of privacy protections in these areas
could have far-reaching effects.
Myth #7: The medical privacy rule provides consumers
greater control over the flow of their electronic medical
Fact: The final federal medical privacy rule is part
of the 1996 HIPAA law that fosters the development of
a national health information network through standardized
codes for all health care services nationwide.17
It [HIPAA] requires health plans to use the national
standardized codes for electronic transactions for payment
of medical care. The [HIPAA] law additionally requires
that unique health identifiers be assigned to four groups,
including every: (1) individual, (2) health care provider,
(3) employer, and (4) health plan.18
Those identifiers will facilitate electronic transactions
for all types of health care, whether services are paid
by government or privately. (Note: the individual identifier
has been put on hold temporarily for one year.19)
The result will be that each patient's visit to a
doctor or hospital will be easily tracked.
In the next few years, it is going to become increasingly
easier to transfer electronic medical records over the
Internet. With just a click of a mouse, it will be much
easier to access and share individuals' records with
many third parties. If policymakers are not aware of
how strongly people feel about this important issue,
then Congress may fail to consider true privacy rights
and Americans won't have the ability to maintain a confidential
Blevins is president of the Institute for Health Freedom
and Robin Kaigh, Esq. is a private practicing attorney.
This summary report will be published in the January/February
2001 issue of Health
Freedom Watch and posted at IHF's Web site (www.ForHealthFreedom.org).
Nothing in this summary report should be construed as
medical or legal advice.
Fact Sheet, December 20, 2000,
"Standards for Privacy of Individually Identifiable Health
Information," Federal Register, Vol. 65, No. 250,
December 28, 2000, pp. 82461-82829.
Register, Vol. 65, No. 250, December 28, 2000, p.
pp. 82811, 82805
pp. 82775, 82381
pp. 82525, 82528, 82813-82817
Ibid., p. 82810
Ibid., p. 82497
Ibid., p. 82826
Ibid., p. 82826
Ibid., p. 82801-82802
Ibid., p. 82802
Ibid., p. 82477
"Health Insurance Reform: Standards for Electronic Transactions;
Announcement of Designated Standard Maintenance Organizations;
Final Rule and Notice," Federal Register, Volume
65, No. 160, August 17, 2000, pp. 50312-50313.
Ibid., p. 50313
Congressional Record-House, December 15, 2000 (p.
because we have new technology that facilitates
the exchange of medical information electronically
does not mean that we should eliminate the important
legal concept of informed consent.
Click here to read about this important issue.