What Privacy?

For more on the HIPAA Privacy Rule

The federal medical privacy rule went into effect on April 14, 2003. There is no reason to celebrate. Despite the flurry of privacy notices and the irksome new obstacles to normal patient-doctor interactions, private medical records have not been protected from peering eyes. Instead, the federal government has authorized 600,000 clinics, hospitals, insurers and data processing companies to dig deep into the private lives of more than 280 million individuals. And for the most part, patients won't even be allowed to know who's doing the digging.

State legislators now hold the key to protecting patient privacy. Federal law allows stricter, more privacy-protecting state laws to take precedence over the Rule. Topping the list of privacy violations in the Rule are:

No Patient Consent Requirement - Patient-identifiable health information can or must be disclosed without patient consent for a broad list of activities including public health surveillance, federal review of compliance, government databases, payment, treatment, health care operations, government oversight of the health care system, judicial proceedings, law enforcement, abuse or neglect reporting, military activities, national security, some medical research, workers' compensation, and organ donor solicitation activities.

False Assurance of Audit Trail - The Rule requires that inquiring patients be given an accounting of the disclosures and uses of the data an institution has released. However, the accounting need not be patient-specific and exceptions to the rule abound. Disclosures for payment, treatment and health care operations-a group of 18 broadly defined activities-need not be reported. "Business associates" that receive data for contracted work will go unnamed. And disclosures to the U.S. Department of Health and Human Services (HHS) for the purpose of validating, monitoring or enforcing compliance with the Rule will not be part of any report of disclosures. Therefore, if ABC law firm, XYZ credit agency, YourData corporation, or the federal government obtains medical record information, the patient need never be told.

Reporting Loophole - Like a stealth bomber, most public health and researcher use of medical record data will done under the radar of patients. If a "limited data set" is used, no report to patients is required. HHS acknowledged in the Rule that patients can still be identified using data in the limited data set-the entire medical record minus 16 identifiers-but insists that a data use agreement will prevent such identification. However, violations of these agreements-requirements that patients not be identified or contacted-cannot be pursued by the HHS. Government agencies and most medical researchers are not under the jurisdiction of the Rule.

Psychotherapy Notes Not Protected - Psychotherapy notes contain not only the private statements expressed by patients, but also the thoughts and conclusions of the therapist. Right or wrong conclusions. HHS acknowledges the special privacy concerns of psychotherapy notes, but does not exempt them completely from disclosure. A therapist is permitted to disclose the notes for training programs, legal proceedings, government oversight of the therapist and to protect the health and safety of a person or the public. And in a clear cut case of irony, federal officials from the U.S. Department of Health and Human Services can read them while they evaluate the therapist's compliance with the privacy rule.

Marketing and Fundraising Authorized - The privacy rule will not stop unwelcome phone calls and uninvited solicitations for contributions. Fundraising and marketing are not prohibited by the Rule. Practitioners, clinics, hospitals and insurers who hold patient data may engage in fundraising using the patient's name, address, age, other demographic data, and treatment dates. Providing patients with a way to opt out of fundraising is required, but there is no absolute prohibition against continued solicitation after the patient opts out.

Marketing is permitted if the solicitation is provided in a face-to-face conversation between a patient and his doctor or insurer. Promotional gifts of nominal value can also be sent to the patient. This means that a diaper company could contract with a pediatric clinic who agrees to send expectant moms a small sample of their diaper product. In addition, clinics, hospitals and insurers are allowed to engage in health care operations that include contacting patients "with information about treatment alternatives."

Federal officials have declared private medical records to be public property. The Rule makes medical information available without patient consent to individuals and organizations that claim a need or a right to them. That the term "privacy" is not even one of the 61 terms defined in the Rule provides further evidence that, despite its title, and despite statements to the contrary, the Rule was not written to protect patient privacy. It was written to share patient data. It looks like it's about to do a very good job.

Published in Heartland Institute's Intellectual Ammunition, Summer 2003.