The Truth about the Modified, Final Federal Medical Privacy Rule*
October 21, 2002
A newly modified, final federal medical privacy rule went into effect on October 15, 2002 (but health plans, health care providers and data-processing companies have up to 18 months to comply with the rule, depending on the size of the organization).1 The following "questions and answers" summary explains how the modified, final federal medical rule strips citizens of their freedom to maintain confidential patient-doctor (and other provider) relationships.
The following summary is based on a review of the recent modifications (published in the Federal Register on August 14, 2002)2 made to the federal medical privacy rule, compared to the final federal medical privacy rule (published in the Federal Register on December 28, 2000).3 Citations to specific key pages are provided to help the public, media, and policymakers understand the serious implications of the rule.
Does the federal medical privacy rule provide consumers greater control over the flow of their personal health information?
No, under the modified, final federal medical privacy rule, patients will not be in control of deciding whether they want health insurers, doctors, and medical data-processing companies to share their personal health informationincluding genetic informationwith others. Rather, health insurers, doctors and medical data-processing companies were granted "regulatory permission" to share patients' health information for any activities related to patients' health care treatment, processing of their health care claims, or "health care operations"a term which encompasses many activities unrelated to patients' direct care (such as fundraising and permitting government officials to search patients' medical records looking for fraud and abuse activities).4
Also, under the modified, final federal medical privacy rule, health insurers, doctors, and medical data-processing companies will not need to get patients' written, informed consent before sharing patients' personal health informationincluding past medical records and genetic informationwith many third parties. The amended rule states:
Under the Privacy Rule, as issued in December 2000, a covered health care provider that has a direct treatment relationship with individuals would have had, except in certain circumstances, to obtain an individual's consent to use or disclose protected health information to carry out treatment, payment, and health care operations. The amended final Rule eliminates this requirement.5 [emphasis added]
Does the federal medical privacy rule prevent data-processing companies, health care providers, health plans and/or government agencies from compiling individuals' personal health information in databases without individuals' consent?
No, there is nothing in the rule that prevents data-processing companies, health care providers, health plans and/or government agencies from compiling individuals' personal health informationincluding genetic informationin databases without first obtaining individuals' consent.
How Does Congress or HHS Define "Medical Privacy" or "Privacy"?
They don't. Ironically, while the federal medical privacy rule includes many definitions, the terms "medical privacy" or "privacy" are not clearly defined in the rule.6 Instead, a federal committee composed primarily of fact-gathering experts was given the legal authority to advise HHS in establishing standards for Americans' medical privacy.7
Are patients guaranteed the right to sign private contracts with their doctors to withhold personal health information from third parties?
No, patients cannot withhold their personally identifiable health information from the U.S. Department of Health and Human Services. In fact, the rule creates a massive federal mandate
that requires every doctor and other health care practitioner to share patients' records with the federal governmentspecifically the U.S. Department of Health and Human Services (HHS)without patient consent.8 The federal government even has the right to access an individual's psychotherapy notes in order to monitor compliance with the rule.9
Will patients be guaranteed the right to an accounting of to whom and when their personal health information was disclosed for health care services related to their treatment and processing of health claims?
No, patients will not receive an accounting of to whom and when their records were disclosed for most health care services, including activities related to treatment, payment, or health care operations (a broad definition encompassing many uses).10
Patients' personally identifiable health information is going to be flowing over the Internetwithout patients' permissionfor purposes related to treatment, payment, and health care operations. But patients won't even know this is happening because they won't be able to obtain an accounting of disclosures for treatment, payment, and health care operations.
Do President Bush's modifications to the federal medical privacy rule (published August 14, 2002) strengthen or weaken Americans' medical privacy?
It is important to note that the Clinton Administration initially proposed prohibiting doctors and hospitals from getting patients' consent before releasing their medical information.11 But after receiving more than 52,000 public comments, the Clinton Administration revised the rule and added a weak, coercive consent provision.
However, the Bush Administration is legally permitting health insurers, doctors and medical data-processing companies to release patients' personal health information without asking patients for their permission. Instead, these entities can simply provide notices of how the information will be shared. This policy takes the active decision-making authority away from patients and shifts it to doctors and hospitals. This is a major shift away from the precious health care ethics that we have honored for many years in this country: the ethics of consent and confidentiality.
In addition to allowing patients' medical records to be disclosed for treatment, payment and health care operations, who else can see patients' records without patients' consent?
Under the Bush Administration's modified rule (as under the Clinton Administration's final rule), Americans' medical records can be disclosed for many broadly defined purposes without patient consent, including, but not limited to, the following:
- Oversight of the health care system
- FDA monitoring (including dietary supplements)
- Public health surveillance and activities
- Foreign governments collaborating with U.S. public health officials
- Research (if an IRB or privacy board waives consent)
- Law enforcement activities
- Judicial and administrative proceedings
- Licensure and disciplinary actions.12
Does the federal medical privacy rule provide patients recourse if their privacy is breached?
No, patients are not guaranteed any recourse other than the right to complain.13 They can complain to their health care providers or institutions about privacy breaches. They also can complain to the Secretary of the U.S. Department of Health and Human Services. However, the HHS Secretary does not have to investigate the complaint. The final rule reads that the Secretary "may," not "shall," investigate complaints.14
Additionally, under the federal medical privacy rule, individuals do not have a private right of action (they can't sue) if their privacy is breached.
Why was the federal medical privacy rule created in the first place?
The federal medical privacy rule was established as dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that fosters the development of a national health information network through standardized codes for all health care services nationwide.15 The HIPAA law requires health plans to use national standardized codes for electronic transactions for payment of medical care. The HIPAA law additionally requires that unique health identifiers be assigned to four groups, including every: (1) individual, (2) health care provider, (3) employer, and (4) health plan.16 Those identifiers will facilitate electronic transactions for all types of health care, whether services are paid by government or privately. (Note: the individual identifier has been put on hold temporarily.)
The result will be that each patient's visit to a doctor or hospital will be easily tracked.
It is becoming increasingly simple to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. That is why all Americans should become informed about the federal medical privacy rule and demand the right to control their most personal informationtheir health information, including genetic information.
1The modified, final federal medical privacy rule effective date was October 15, 2002. Health care providers, health plans and health care clearinghouses have until April 14, 2003 to comply with the rule; small health plans have until April 14, 2004 to comply.
2"Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 67, No. 157, August 14, 2002, pp. 53182-53273.
3"Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82462-82829.
4Federal Register, Vol. 65, No. 250, pp. 82803-82804; Federal Register, Vol. 67, No. 157, pp. 53211, 53266-53268.
5Federal Register, Vol. 67, No. 157, p. 53261.
6Federal Register, Vol. 65, No. 250, pp. 82798, 82803-82805; Federal Register, Vol. 67, No. 157, pp. 53266-53268.
7Federal Register, Vol. 67, No. 157, p. 53182.
8Federal Register, Vol. 65, No. 250, p. 82802.
9Ibid., pp. 82811, 82805.
10Ibid., p. 82826.
11"Standards for Privacy of Individually Identifiable Health Information; Proposed Rule," Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59941.
12Federal Register, Vol. 65, No. 250, pp. 82525, 82528, 82813-82817.
13Ibid., p. 82801.
14Ibid., p. 82802.
15"Health Insurance Reform: Standards for Electronic Transactions; Announcement of Designated Standard Maintenance Organizations; Final Rule and Notice," Federal Register, Vol. 65, No. 160, August 17, 2000, pp. 50312-50313.
16Ibid., p. 50313.
*This analysis of the modified, final federal medical privacy rule was prepared by Sue Blevins, President, Institute for Health Freedom and Deborah Grady, Research Associate, Institute for Health Freedom. Many of the federal medical privacy rule provisions remain the same as those analyzed and reported in two previous papers: (1) "Update on the Federal Medical Privacy Rule: Questions and Answers," by Sue Blevins and Deborah Grady (April 2002); and (2) "The Final Federal Medical Privacy Rule: Myths and Facts" by Sue Blevins and Robin Kaigh, Esq. (February 8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/MedPrivFacts.html].