The Final Federal Medical Privacy Rule:
Myths and Facts

By Sue Blevins and Robin Kaigh¹
February 8, 2001

Americans are being told they have a new right to medical privacy under the final federal medical privacy rule published in the Federal Register on December 28, 2000. However, the following "myths and facts" summary shows that the rule does not provide true medical privacy. Rather, it actually weakens individuals' ability to restrict access to their medical records. At the same time, the rule increases the federal government's power to access individuals' personal health information, without patient consent.

The following summary is based on the HHS Fact Sheet (published December 20, 2000) announcing the new rule, national newspaper articles, and a review of the final rule published in the Federal Register.² Citations to specific key pages are provided to help the public, media, and policymakers understand the serious implications of the rule.

Myth #1: The final federal medical privacy rule provides Americans a new federal right to medical privacy.

Fact: The rule creates a massive federal mandate that requires every doctor and other health care practitioner to share patients' records with the federal government--specifically the U.S. Department of Health and Human Services (HHS)--without patient consent.³ The federal government even has the right to access an individual's psychotherapy notes in order to monitor compliance with the new rule.⁴ Ironically, this federal mandate will be enforced by HHS' Office for Civil Rights.⁵

Myth #2: Individuals are guaranteed the right to restrict others from accessing their medical records without their consent.

Fact: Under the rule, Americans' medical records can be disclosed for many broadly defined purposes without patient consent, including, but not limited to, the following:

• Oversight of the health care system
• FDA monitoring (including dietary supplements)
• Public health surveillance and activities
• Foreign governments collaborating with U.S. public health officials
• Research (if an IRB or privacy board waives consent)
• Law enforcement activities
• Judicial and administrative proceedings
• Licensure and disciplinary actions.⁶

Moreover, once individuals' medical records are disclosed to a third party (other than a business associate), the final rule no longer protects that information. The rule specifically reads:

". . .[O]nce protected health information leaves a covered entity the Department [HHS] no longer has jurisdiction under the statute to apply protections to the information."⁷

Also, there is nothing in the rule that prohibits the federal government, state governments or private parties from compiling large databases of patient information, for the purposes listed above, without patient consent. The rule does not apply to information that is collected or stored in databases without consent prior to February 26, 2003 (when most providers are required to comply with the rule). It states:

"We do not require covered entities with existing records or databases to destroy or remove the protected health information for which they do not have valid consents or authorizations. . ."⁸

Myth #3: The final rule ensures that consent is not coerced.

Fact: Health care providers and institutions may refuse to treat patients if they won't give consent to share their medical records.⁹ Patients are not guaranteed the right to restrict access to their records for treatment, payment or health care operations.¹⁰ Additionally, individuals' medical records can be used by any doctor--without individuals' consent--to treat other patients. The rule states:

"A plan can disclose protected health information to any health care provider to assist the provider's treatment activities; and a health care provider may use protected health information about an individual to treat another individual."¹¹

Myth #4: Americans will be able to get a full accounting of when and to whom their medical records have been disclosed.

Fact: Individuals will receive only a limited accounting of when and to whom their medical records were disclosed.¹² They will not receive an accounting of when and to whom their records were disclosed for most health care activities, including activities related to treatment, payment, or health care operations (a broad definition encompassing many uses).¹³

Myth #5: The final rule provides serious penalties for breaches of medical privacy.

Fact: Patients have no guaranteed recourse other than the right to complain.¹⁴ They can complain to their health care providers or institutions about privacy breaches. They also can complain to the U.S. Secretary of Health and Human Services. However, the HHS Secretary does not have to investigate the complaint. The final rule reads that the Secretary "may," not "shall," investigate complaints.¹⁵

Individuals do not have a private right of action (they can't sue) if their privacy is breached under the final medical privacy rule.

Myth #6: All individually identifiable health information held or disclosed by health care organizations is covered by the final regulation.

Fact: The final rule does not cover the procurement or banking of blood, sperm, or body tissue. In fact, the final rule states:

". . .[T]he procurement or banking of organs, blood (including autologous blood), sperm, eyes or any other tissue or human product is not considered to be health care under this rule and the organizations that perform such activities would not be considered health care providers when conducting these functions."¹⁶

Because blood, sperm and body tissue includes genetic information, lack of privacy protections in these areas could have far-reaching effects.

Myth #7: The medical privacy rule provides consumers greater control over the flow of their electronic medical records.

Fact: The final federal medical privacy rule is part of the 1996 HIPAA law that fosters the development of a national health information network through standardized codes for all health care services nationwide.¹⁷ It [HIPAA] requires health plans to use the national standardized codes for electronic transactions for payment of medical care. The [HIPAA] law additionally requires that unique health identifiers be assigned to four groups, including every: (1) individual, (2) health care provider, (3) employer, and (4) health plan.¹⁸ Those identifiers will facilitate electronic transactions for all types of health care, whether services are paid by government or privately. (Note: the individual identifier has been put on hold temporarily for one year.¹⁹)

The result will be that each patient's visit to a doctor or hospital will be easily tracked.

In the next few years, it is going to become increasingly easier to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. If policymakers are not aware of how strongly people feel about this important issue, then Congress may fail to consider true privacy rights and Americans won't have the ability to maintain a confidential doctor-patient relationship.