Medical Privacy • Apr 2003 • Patient Privacy

HIPAA - the Federal Medical Privacy Rule

What Privacy?
CCHC Medical Privacy Declaration Form
Of Special Interest

The federal medical privacy rule is commonly known as the "HIPAA privacy rule." However, it actually holds the title, "Standards for Privacy of Individually Identifiable Health Information."

In 1996, Congress passed a law called the Health Insurance Accountability and Portability Act of 1996 (HIPAA). A portion of that law, known as Administrative Simplification, was intended to facilitate sharing of medical data by moving the nation toward electronic medical records. The Workgroup on Electronic Data Interchange (WEDI), made up of 214 members, including government agencies and health care industry, was behind the initiative. The computerization of private medical records would create what the National Committee on Vital Health Statistics calls a National Health Information Infrastructure.

The law requires that the federal government create:

Unique Patient IDs (UPI) - a national medical ID card for every citizen
National Provider IDs (NPI) - a unique identification number for every doctor, nurse, therapist, hospital, health care facility, and other "providers".
Employer ID Numbers (EIN) - a unique number for every employer
a PayerID - an identification number for every insurer and health plan
national codes for all health care procedures
national transaction sets
national security standards for health information

Because Congress understood that the public would be alarmed by the potential for privacy infringements, medical tracking, and patient profiling, the law also required Congress to pass a law protecting patient privacy. If Congress did not pass such a law by August of 1999, the U.S. Department of Health and Human Services was then required to write a privacy rule.

Congress did not meet the deadline, so HHS published a proposed rule in November of 1999 which followed HHS's 1997 recommendations that data be shared without patient consent.

Over 52,000 comments were received from the public, with most individuals and patient advocacy organizations asking that patient consent be added to the rule.

The final rule was published by the Clinton Administration on December 28, 2000. Due to the deluge of public comments, patient consent for treatment, payment and health care operations had been added. However, the rule gave permission for doctors, hospitals, health plans and other "covered entities" to share individually-identifiable data without patient consent for several "national priority activities".

After President Bush took office, his administration asked that the rule be reconsidered. An additional 24,000 public comments were received. However, when the final rule was published August 14, 2002, patient consent for disclosure of medical record information for payment, treatment and health care operations had also been deleted. Instead, a notice of privacy practices must be distributed to patients. Patients are asked to sign it, but are not required to do so - because it is not a consent form.

Because the Clinton Administration had already removed patient consent requirements for "national priority activities", the Bush Administration's action virtually eliminated patient consent from the practice and ethics of medicine. Instead of protecting patient privacy, HIPAA is essentially a federal license to intrude.

The HIPAA privacy rule became effective April 14, 2003.