What Every American Needs to Know about the HIPAA Medical Privacy Rule*
Updated March 2010
Did you know that under the federal HIPAA (Health Insurance Portability and Accountability Act of 1996) privacy rule, your personal health information—including electronic health records (EHRs) and genetic information—can be disclosed without your consent to many third parties such as the following?
- Public health workers
- Data-processing companies
- Researchers (in some instances)
- Law enforcement officials
- Federal government
- Doctors (even those not treating you)
Under the HIPAA privacy rule all of the above are legally permitted to access your personal health and genetic information without your permission. Individuals do not have the final say in whether their personally identifiable health information is shared with more than 600,000 health-related organizations for purposes related to treatment, payment, and health-care operations without individuals’ consent. [See section 164.502(a)(1)(ii) “Permitted uses and disclosures” of the rule. The most recent version of the rule (45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information) is posted here: http://www.forhealthfreedom.org/BackgroundResearchData/HIPPA_Privacy_Regs/HIPAAPrivacyRegs10-01-09Edition.pdf
The American Recovery and Reinvestment Act of 2009 amended the HIPAA privacy rule to say individuals can request that a “covered entity” (provider, hospital, etc.) not share their information with health plans, and the entity must comply. But individuals can only exercise this right if they pay out of pocket in full. [See H.R. 1, Title XIII, Subtitle D—Privacy, Sec. 13405(a) (p. 150).] Moreover, they still can’t prevent their data from flowing to many other third parties, such as public-health researchers. (For an explanation of how the American Recovery and Reinvestment Act of 2009 changed the HIPAA privacy rule, see “How the Economic Stimulus Law Affects Your Health Privacy Rights.” http://forhealthfreedom.org/Newsletter/March2009.html#Article2)
Also, under the HIPAA privacy rule the Secretary of the U.S. Department of Health and Human Services (HHS) legally has access to every citizen’s health records, including psychotherapy notes; and covered entities (doctors, hospitals, etc.) are required to disclose personal health information to the Secretary to determine compliance with the HIPAA privacy rule. [See 45 section 164.508(a)(2)(ii) exception to “Uses and disclosures for which an authorization is required” of CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information; section 164.502(a)(2)(ii) “Required disclosures.”]
How did this federal rule come about?
Who was behind it and lobbied for it?
What can you do to protect your medical privacy?
Why Federalize Health Privacy Law?
Until recently, health privacy was considered a matter regulated by the states. Every state has some type of law to protect citizens’ medical records. However, abiding by 50 different state privacy laws has proved difficult for the industries that want to create a national health information system. Thus, leaders of technology, insurance, medical, hospital and other industries have been working for over a decade to nationalize standards for electronic medical records.
Who was Behind the National Electronic Health Information System?
In 1991, the Workgroup for Electronic Data Interchange (WEDI) was established to foster the development of national electronic medical codes and electronic payment systems. WEDI succeeded in getting many of its goals incorporated into the Clinton health care plan. President Clinton’s 1993 Health Security Plan included a provision titled “Administrative Simplification.”
That section of the plan called for establishing a national health information infrastructure. It required that unique identifiers be established for four groups for processing medical claims electronically, including: (1) individuals, (2) employers, (3) health insurers, and (4) health care providers. It also called for creating national codes for medical claims and for new federal medical privacy rules.
The bottom line is that you can’t create a national health care system without standardized information.
HIPAA Law Includes Mandatory Unique Health Identifiers
The American people clearly rejected the Clinton plan to nationalize health care. However, the Administrative Simplification provision was tucked away in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was signed into law on August 21, 1996 (Public Law 104-191). Under the HIPAA law, the following four groups are required to have unique identifiers for tracking medical records and electronic claims processing, including:
- health insurers, and
- health care providers.
Unique Health Identifiers Put on Hold—but Only Temporarily
Due to public outcry, federal funding for assigning every individual a unique health identifier has been put on hold temporarily over the years. But unless the Administrative Simplification provision of the HIPAA law is repealed, all Americans could be assigned a number for tracking their medical information from cradle to grave.
Also, aware that the American people were concerned about medical privacy, legislators included a provision in HIPAA requiring that a medical privacy law be passed by August 21, 1999, or the Secretary of the U.S. Department of Health and Human Services (HHS) would have to draft such a rule. Congress missed its self-imposed deadline, and the authority to establish federal regulations for medical privacy shifted to HHS under the Clinton administration.
Clinton Administration Drafted a Federal “Medical Privacy” Rule
In November 1999, the Clinton administration proposed federal regulations relating to medical privacy. It proposed prohibiting doctors, hospitals, and others from obtaining patients’ consent before releasing their medical information.
However, the public spoke out against the proposed rule and removal of consent. HHS received more than 52,000 comments during the public comment period. The issue most discussed was patient control of personal health information.
A final HIPAA privacy rule was released on December 28, 2000, just before President Clinton’s departure. In response to public outcry, HHS restored patient consent. That version of the HIPAA privacy rule required that individuals give their consent before medical records could be used for health care treatment, payment, or “health care operations”—a broad term encompassing many activities. However, many other third parties did not need patients’ consent before obtaining their medical records, including:
- FDA (for monitoring drugs and dietary supplements),
- law enforcement,
- researchers (in some instances),
- public health officials,
- federal government, and
- medical licensing boards.
Bush Administration Eliminated Patient Consent
Some industries were strongly opposed to the consent provision as it appeared in the December 28, 2000 final HIPAA privacy rule. They lobbied the incoming Bush administration to eliminate patient consent. In March 2002, HHS proposed to modify the HIPAA privacy rule so that health care insurers, hospitals and others could transfer medical information—without patients’ consent—to pay claims, treat patients, and do other tasks. The Bush administration published its final modifications to the HIPAA privacy rule on August 14, 2002. The final rule can be found in the U.S. Code of Federal Regulations, see 45 CFR 160 and 45 CFR 164.
Consequently, for the first time in our nation’s history, the federal government is now giving the medical industry legal authority to decide for individuals whether personal health information can be released to others without individuals’ consent. Individuals will not get an accounting of when their medical records are disclosed for routine (most) purposes.
What’s more, some powerful industry groups support pre-empting state laws regarding medical privacy. Given their past lobbying success, it’s likely that state laws soon could be pre-empted by the federal HIPAA privacy rule unless citizens take action.
What Can You Do to Protect Your Medical Privacy?
The HIPAA privacy rule applies to all citizens, even if you pay privately for health care. Thus, if you want to restore true medical privacy and control who has access to your personal health and genetic information, you should:
(1) get Congress to pass a law that ensures your authority to decide who can access your medical records by requiring patient consent; and
(2) work with your state legislators and governor to make sure stronger state medical privacy laws are not pre-empted by the HIPAA privacy rule in the near future.
It’s your personal health information and you should be the one to decide who has access to it!
HIPAA privacy rule published in the Code of Federal Regulations as of October 2009, “45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information”: http://www.forhealthfreedom.org/BackgroundResearchData/HIPPA_Privacy_Regs/HIPAAPrivacyRegs10-01-09Edition.pdf
President Clinton’s 1993 Health Security Plan, "Health Security Act," H.R. 3600 (Introduced in House), November 20, 1993 (see "Subtitle B--Information Systems, Privacy, and Administrative Simplification," beginning on page 861).
"Health Insurance Portability and Accountability Act of 1996," Public Law 104-191 (See Title II, "Subtitle F, Administrative Simplification," beginning on page 87 (110 Stat. 2021).
"The Final Federal Medical Privacy Rule: The Definitive Guide," Institute for Health Freedom, March 6, 2003.
HIPAA privacy rule Proposed by Clinton Administration: "Standards for Privacy of Individually Identifiable Health Information; Proposed Rule," Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59918-60065.
HIPAA privacy rule Finalized by Clinton Administration: "Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82462-82829.
HIPAA privacy rule Modified by Bush Administration: "Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 67, No. 157, August 14, 2002, pp. 53182-53273.
"Feds Seek to Harmonize State Health-Privacy Laws," Institute for Health Freedom, February 2008.
* By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. This March 2010 update is based on an analysis by Blevins and Kaigh published by the Institute for Health Freedom in 2003.