What Americans Need To Know About Medical Privacy Regulations¹

November 15,1999

INTRODUCTION

On November 3, 1999, the U.S. Department of Health and Human Services (HHS) published its proposed medical privacy regulations in the Federal Register.² The regulations would apply to all individuals, whether their health care is paid for privately or by the government. The public has 60 days to comment on the proposed regulations. By law, the federal government must take into account comments it receives from the public--including concerned citizens, government agencies, and special interest groups-- before writing the final rules. The comment period ends January 3, 2000 [The comment period was recently extended to February 17, 2000].

SUMMARY OF KEY QUESTIONS & ANSWERS

• Will the government or private citizens set the terms for who has access to patients' medical records? The government.

• Who will have access to patients' electronic medical records--including genetic information--without obtaining patients' consent? Many people and organizations--including health plans, providers, hospitals, researchers, medical students, government agents, law enforcement officials, and others--will have access to patients' medical records without obtaining their consent.

• Will the proposed privacy regulations guarantee patients the right to inspect and copy all information related to their medical care? No, patients will not be guaranteed access to medical malpractice information obtained for a legal proceeding.

• Will individuals be able to sue if their medical confidentiality is breached? No, not under the proposed medical privacy regulations.

• What can Congress do to truly protect patients' medical privacy? It should enforce--not eliminate--patient consent forms for disclosure of medical information.

KEY QUESTIONS & ANSWERS

No. The proposed regulations do not guarantee true protection of medical privacy. In fact, they are the first step toward creating a centralized database for electronic medical records. By law, HHS must assign each American a "unique health identifier" (a patient ID number) that could be used to tag and track each person's medical history electronically from cradle to grave. This is a requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was signed into law August 21, 1996. ³ Unless HIPAA is repealed, all Americans will be assigned a unique health identifier. The proposed privacy regulations will govern who has access to individuals' electronic medical records and the forthcoming unique health identifiers.

As they stand, the proposed regulations could lull the American public into a false sense of security. They assure people that the federal government will protect "individually identifiable information," but they don't explain how the unique health identifiers will work. That part of the plan will be inserted into the regulations later, but we don't know when.

HHS is considering six alternatives for creating unique health identifiers, including biometric identifiers that employ DNA analysis or voice recognition technology, according to a HHS White Paper published in July 1998. ⁴ Clearly, the public needs to know what form the unique health identifiers will take before it can judge: (1) whether the proposed privacy regulations will truly protect electronic medical records; and (2) how such a tracking system could invade individuals' privacy.

Will the government or private citizens set the terms for who has access to patients' medical records?

The government--not private citizens--will set the terms for who has access to individuals' medical information without patient consent. Patient authorization will no longer be required to disclose health care information in most circumstances. In fact, the proposed regulations state:

"We also propose to prohibit covered entities [health plans providers, hospitals, clinics, etc.] from seeking individual authorization for uses and disclosures for treatment, payment and health care operations unless required by State or other applicable law."⁵ [emphasis added]

In effect, the federal government is eliminating patient consent for disclosure of most health care information. At the same time, it is increasing access to patients' medical records. In its proposed regulations, HHS cites a congressional report noting:

"Health information is considered relatively `safe' today, not because it is secure, but because it is difficult to access. These standards improve access [emphasis added] and establish strict privacy protections."⁶

This is a contradiction. Government can't enforce strict privacy protections by giving more people access to patients' medical information. Rather, allowing more people to peer into patients' medical records results in less privacy.

Who will have access to patients' electronic medical records--including genetic information--without obtaining patients' consent?

Many people and organizations--including health plans, providers, hospitals, researchers, medical students, government agents, law enforcement officials, and others--will have access to patients' medical records without obtaining their consent. Individual authorization is not required for sharing information related to medical treatment, payment, or "health care operations." In addition, the regulations state:

"After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization [emphasis added] for the following national priority activities and activities that allow the health care system to operate smoothly:

• Oversight of the health care system
• Public health functions
• Research
• Judicial and administrative proceedings
• Law enforcement
• Emergency circumstances
• To provide information to next-of-kin
• For identification of the body of a deceased person, or the cause of death
• For government health data systems
• For facility patient directories
• To banks, to process health care payments and premiums
• For management of active duty military and other special classes of individuals
• Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure."^7,8

It is important to note that the term "health care operations" is broadly defined. It includes access to patients' medical information for "[c]ompiling and analyzing information in anticipation of, or for use in, civil or criminal legal proceedings." It also includes uses for "[r]eviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which undergraduate and graduate students and trainees in all areas of health care learn under supervision to practice as health care providers. . ." ⁹

Will the proposed privacy regulations guarantee patients the right to inspect and copy all information related to their medical care?

There are no guarantees that health care organizations must let patients inspect and copy all information related to their medical care. Curiously, page 59926 of the regulations states:

"We propose that individuals be able to obtain access to protected health information about them, which would include a right to inspect and obtain a copy of such information. See proposed § 164.514."

However, the referenced section says that under certain circumstances--such as when information is compiled for use in a legal proceeding--a covered entity (hospital, clinic, doctor's office, etc.) may deny an individual's request to obtain information. HHS explains:

"In § 164.514(b)(1)(v), we are proposing that covered plans and providers be permitted to deny a request for inspection and copying if the information is compiled in reasonable anticipation of, or for use in, a legal proceeding. . . For example, when a procedure results in an adverse outcome, a hospital's attorney may obtain statements or other evidence from staff about the procedure, or ask consultants to review the facts of the situation for potential liability. Any documents containing protected health information that are produced as a result of the attorney's inquiries could be kept from the individual requesting access." ¹⁰

Who will most likely want to obtain a copy of all information related to his medical care? Someone who feels he's suffered an adverse outcome or been injured would want to get a copy of newly obtained information related to medical malpractice. Yet, it appears that under the proposed privacy regulations, a request for information related to medical malpractice could be denied. That information could be important for seeking follow-up care related to an adverse outcome or injury. Moreover, if the request is denied, the only recourse is to complain to the entity (i.e., hospital, provider, or clinic) or file a complaint with the Secretary of HHS.¹¹

Will individuals be able to sue if their medical confidentiality is breached?

No, individuals won't be able to sue under the proposed medical privacy regulations. The regulations specifically state:

"There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals' trust in the system."¹²

Individuals can't sue, but the federal government may impose penalties on providers, hospitals, and other organizations that breach patients' medical privacy. Individuals, not the federal government, should be compensated for invasion of their medical privacy.

What can Congress do to truly protect patients' medical privacy?

Congress could repeal the HIPAA section that requires the adoption of a "unique health identifier" (patient ID number) to tag and track individuals' medical records electronically. Representative Ron Paul (R-TX) has introduced legislation (H.R. 220) that would do just that.

The only way individuals will truly control the privacy of their own medical information is if: (1) government enforces, not eliminates, patient consent forms for disclosure of medical information; (2) individuals, not government, decide if they want their medical information compiled in a centralized database; (3) individuals, not government, decide who has access to their medical records, except under very limited circumstances; and (4) individuals are not forced to accept a "unique health identifier" for tagging and tracking their medical records electronically.

Moreover, individuals who agree to unique health identifiers should choose their own personal identification numbers (PINs) for their electronic medical records, just as they do for their own bank accounts. Individuals could then decide whether to make their health PINs available to all ambulance services, hospitals, providers, researchers, government agents, and the many others who want access to patients' medical records.

Finally, if a health care organization or provider breaches a contract of nondisclosure, then individuals should have the right to sue.

² [The proposed medical privacy regulations were published in the Federal Register, Vol. 64, No. 212, pp. 59917-60065, Wednesday, November 3, 1999.]

³ Source: Health Insurance Portability and Accountability Act of 1996 (P.L. 104- 191), enacted August 21, 1996. Title II, Subtitle F, Sec. 1173(b) states "The Secretary [of Health and Human Services] shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system." (This section of the law is similar to a section of the original Clinton health care plan [S. 1757] introduced in 1993.) [Note: (2/3/2000) For an update on the unique health identifier, see the following article: What's Happening with the Unique Health Identifier.]

⁴ The HHS White Paper titled "Unique Health Identifiers for Individuals, A White Paper" is posted at the following Web site: (http://www.forhealthfreedom.org/hhswhitepaper).

⁵ Federal Register, p. 59941. See also pp. 60050-60051 "Subpart B--Preemption of State Law." This section explains the terms under which State law will be preempted.

⁶ Ibid., p. 59928.

⁷ Ibid., pp. 59925-59926.

⁸ Ibid., pp. 60056-60059. See § 164.510 "Uses and disclosures for which individual authorization is not required." Subsection (h) notes that information can be shared for directory purposes, provided that, the individual has agreed to such disclosure.

⁹ Ibid., pp. 59933-59934.

¹⁰ Ibid., p. 59983.

¹¹ Ibid., pp. 60059-60060.

¹² Ibid., pp. 59923-59924.