This website provides readers an historical perspective on the evolution of various healthcare laws and regulations affecting healthcare freedom and privacy.
For updated information about healthcare freedom and privacy issues, visit Citizens' Council for Health Freedom's website www.healthcarefreedom.us
Browse by Topic
Publications

Update on the Federal Medical Privacy Rule:
Questions and Answers*

April 2002

Americans are being told they will have stronger medical privacy protections under the revised federal medical privacy rule published in the Federal Register on March 27, 2002.1 However, the following "questions and answers" summary shows that the revised rule does not provide patients stronger medical privacy. Rather, it actually weakens individuals' ability to restrict access to their medical records.

The following summary is based on a review of the revised federal medical privacy rule (published March 27, 2002)2 compared to the final federal medical privacy rule (published December 28, 2000).3 Citations to specific key pages are provided to help the public, media, and policymakers understand the serious implications of the rule.

Does the revised federal medical privacy rule provide consumers greater control over the flow of their personal health information?

No, under the revised federal medical privacy rule, patients will not be in control of deciding whether they want health insurers, doctors, and medical data-processing companies to share their personal health information—including genetic information—with others. Rather, health insurers, doctors and medical data-processing companies are actually granted "regulatory permission" to share patients' health information for any activities related to patients' health care treatment, processing of their health care claims, or "health care operations"—a term which encompasses many activities unrelated to patients' direct care (such as permitting FBI officials to search medical records looking for fraud and abuse activities).4

Also, under the revised federal medical privacy rule, health insurers, doctors, and medical data-processing companies will not need to get patients' written, informed consent before sharing patients' personal health information—including past medical records and genetic information—with many third parties.

How Does Congress or HHS Define "Medical Privacy" or "Privacy"?

They don't. Ironically, while the federal medical privacy rule includes many definitions, the terms "medical privacy" or "privacy" are not clearly defined in the rule.5 Instead, a federal committee composed primarily of fact-gathering experts was given the legal authority to advise HHS in establishing standards for Americans' medical privacy.6

Are patients guaranteed the right to sign private contracts with their doctors to withhold personal health information from third parties?

No, patients cannot withhold their personally identifiable health information from the U.S. Department of Health and Human Services. In fact, the rule creates a massive federal mandate that requires every doctor and other health care practitioner to share patients' records with the federal government—specifically the U.S. Department of Health and Human Services (HHS)—without patient consent.7 The federal government even has the right to access an individual's psychotherapy notes in order to monitor compliance with the rule.8

Will patients be guaranteed the right to an accounting of to whom and when their personal health information was disclosed for health care services related to their treatment and processing of health claims?

No, patients will not receive an accounting of to whom and when their records were disclosed for most health care services, including activities related to treatment, payment, or health care operations (a broad definition encompassing many uses).9

In just a few years, patients' personally identifiable health information is going to be flowing over the Internet—without patients' permission—for purposes related to treatment, payment, and health care operations. But patients won't even know this is happening because they won't be able to obtain an accounting of disclosures for treatment, payment, and health care operations.

Will President Bush's proposed changes to the federal medical privacy rule (published March 27, 2002) strengthen or weaken Americans' medical privacy?

It is important to note that the Clinton Administration initially proposed prohibiting doctors and hospitals from getting patients' consent before releasing their medical information.10 But after receiving more than 52,000 public comments, the Clinton Administration revised the rule and added a very weak, coercive consent provision.

However, the Bush Administration is legally permitting health insurers, doctors and medical data-processing companies to release patients' personal health information without asking patients for their permission. Instead, these entities can simply provide notices of how the information will be shared. This policy takes the active decision-making authority away from patients and shifts it to doctors and hospitals. This is a major shift away from the precious health care ethics that we have honored for many years in this country: the ethics of consent and confidentiality.

In addition to allowing patients' medical records to be disclosed for treatment, payment and health care operations, who else can see patients' records without patients' consent?

Under the Bush Administration's revised rule (as under the Clinton Administration's final rule), Americans' medical records can be disclosed for many broadly defined purposes without patient consent, including, but not limited to, the following:

  • Oversight of the health care system
  • FDA monitoring (including dietary supplements)
  • Public health surveillance and activities
  • Foreign governments collaborating with U.S. public health officials
  • Research (if an IRB or privacy board waives consent)
  • Law enforcement activities
  • Judicial and administrative proceedings
  • Licensure and disciplinary actions.11

Does the federal medical privacy rule provide patients recourse if their privacy is breached?

No, patients are not guaranteed any recourse other than the right to complain.12 They can complain to their health care providers or institutions about privacy breaches. They also can complain to the Secretary of the U.S. Department of Health and Human Services. However, the HHS Secretary does not have to investigate the complaint. The final rule reads that the Secretary "may," not "shall," investigate complaints.13

Additionally, individuals do not have a private right of action (they can't sue) if their privacy is breached under the final medical privacy rule.

Why was the federal medical privacy rule created in the first place?

The federal medical privacy rule was established as dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that fosters the development of a national health information network through standardized codes for all health care services nationwide.14 The HIPAA law requires health plans to use national standardized codes for electronic transactions for payment of medical care. The HIPAA law additionally requires that unique health identifiers be assigned to four groups, including every: (1) individual, (2) health care provider, (3) employer, and (4) health plan.15 Those identifiers will facilitate electronic transactions for all types of health care, whether services are paid by government or privately. (Note: the individual identifier has been put on hold temporarily for one year.)

The result will be that each patient's visit to a doctor or hospital will be easily tracked.

In the next few years, it is going to become increasingly simple to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. That is why all Americans should become informed about the federal medical privacy rule and demand the right to control their most personal information-their health information, including genetic information.

* This update analysis on the federal medical privacy rule was prepared by Sue Blevins, President, Institute for Health Freedom and Deborah Grady, Research Associate, Institute for Health Freedom. Many of the federal medical privacy rule provisions remain the same as those analyzed in a previous paper titled "The Final Federal Medical Privacy Rule: Myths and Facts" by Sue Blevins and Robin Kaigh, Esq. (February 8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/MedPrivFacts.html].



1 "Standards for Privacy of Individually Identifiable Health Information," Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14776-14815.
2 Ibid.
3 "Standards for Privacy of Individually Identifiable Health Information," Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82462-82829.
4 Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14780, 14812.
5 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82798, 82803-82805; Federal Register, Vol. 67, No. 59, March 27, 2002, pp. 14810-14812.
6 Federal Register, Vol. 67, No. 59, March 27, 2002, p. 14777.
7 Federal Register, Vol. 65, No. 250, December 28, 2000, p. 82802.
8 Ibid., pp. 82811, 82805.
9 Ibid., p. 82826.
10 Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59941.
11 Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82525, 82528, 82813-82817.
12 Ibid., pp. 82801-82802.
13 Ibid., p. 82802.
14 "Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice," Federal Register, Volume 65, No. 160, August 17, 2000, pp. 50312-50313.
15 Ibid., p. 50313.
 
How will proposed changes to the federal medical privacy rule affect your ability to control the flow of your personal health information?