What Americans Need To Know About Medical Privacy
Did you know that the federal government is going to change
the rules governing who has access to your medical records?
These changes will make it easier for a wide range of
individuals and groups to access your medical information.
On November 3, 1999, the U.S. Department of Health
and Human Services (HHS) published its proposed medical
privacy regulations in the Federal Register.2
The regulations would apply to all individuals, whether
their health care is paid for privately or by the government.
The public has 60 days to comment on the proposed regulations.
By law, the federal government must take into account
comments it receives from the public--including concerned
citizens, government agencies, and special interest
groups-- before writing the final rules. The comment
period ends January 3, 2000 [The
comment period was recently extended to February 17,
SUMMARY OF KEY QUESTIONS & ANSWERS
Here are some important questions and answers Americans
should consider before allowing the federal government
to adopt the proposed medical privacy regulations:
- Will the government or private citizens set the
terms for who has access to patients' medical records?
- Who will have access to patients' electronic
medical records--including genetic information--without
obtaining patients' consent? Many people and organizations--including
health plans, providers, hospitals, researchers, medical
students, government agents, law enforcement officials,
and others--will have access to patients' medical
records without obtaining their consent.
- Will the proposed privacy regulations guarantee
patients the right to inspect and copy all information
related to their medical care? No, patients will
not be guaranteed access to medical malpractice information
obtained for a legal proceeding.
- Will individuals be able to sue if their medical
confidentiality is breached? No, not under the
proposed medical privacy regulations.
- What can Congress do to truly protect
patients' medical privacy? It should enforce--not
eliminate--patient consent forms for disclosure of
KEY QUESTIONS & ANSWERS
President Clinton says the proposed privacy regulations
"represent an unprecedented step toward putting Americans
back in control of their own medical records." Is this
No. The proposed regulations do not guarantee
true protection of medical privacy. In fact, they are
the first step toward creating a centralized database
for electronic medical records. By law, HHS must assign
each American a "unique health identifier" (a patient
ID number) that could be used to tag and track each
person's medical history electronically from cradle
to grave. This is a requirement of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA),
which was signed into law August 21, 1996. 3
Unless HIPAA is repealed, all Americans will be assigned
a unique health identifier. The proposed privacy regulations
will govern who has access to individuals' electronic
medical records and the forthcoming unique health identifiers.
As they stand, the proposed regulations could lull
the American public into a false sense of security.
They assure people that the federal government will
protect "individually identifiable information," but
they don't explain how the unique health identifiers
will work. That part of the plan will be inserted into
the regulations later, but we don't know when.
HHS is considering six alternatives for creating unique
health identifiers, including biometric identifiers
that employ DNA analysis or voice recognition technology,
according to a HHS White Paper published in July 1998.
Clearly, the public needs to know what form the unique
health identifiers will take before it can judge: (1)
whether the proposed privacy regulations will truly
protect electronic medical records; and (2) how such
a tracking system could invade individuals' privacy.
Will the government or private citizens set the
terms for who has access to patients' medical records?
The government--not private citizens--will set the
terms for who has access to individuals' medical information
without patient consent. Patient authorization
will no longer be required to disclose health care information
in most circumstances. In fact, the proposed regulations
"We also propose to prohibit
covered entities [health plans providers, hospitals,
clinics, etc.] from seeking individual authorization
for uses and disclosures for treatment, payment and
health care operations unless required by State or other
In effect, the federal government is eliminating
patient consent for disclosure of most health care information.
At the same time, it is increasing access to
patients' medical records. In its proposed regulations,
HHS cites a congressional report noting:
"Health information is considered relatively
`safe' today, not because it is secure, but because
it is difficult to access. These standards improve
access [emphasis added] and establish strict
This is a contradiction. Government can't enforce
strict privacy protections by giving more people access
to patients' medical information. Rather, allowing more
people to peer into patients' medical records results
in less privacy.
Who will have access to patients' electronic medical
records--including genetic information--without obtaining
Many people and organizations--including health plans,
providers, hospitals, researchers, medical students,
government agents, law enforcement officials, and others--will
have access to patients' medical records without
obtaining their consent. Individual authorization is
not required for sharing information related to medical
treatment, payment, or "health care operations." In
addition, the regulations state:
"After balancing privacy and other social
values, we are proposing rules that would permit use
or disclosure of health information without individual
authorization [emphasis added] for the following
national priority activities and activities that allow
the health care system to operate smoothly:
- Oversight of the health care system
- Public health functions
- Judicial and administrative proceedings
- Law enforcement
- Emergency circumstances
- To provide information to next-of-kin
- For identification of the body of a deceased person,
or the cause of death
- For government health data systems
- For facility patient directories
- To banks, to process health care payments and
- For management of active duty military and other
special classes of individuals
- Where other law requires such disclosure and no
other category of permissible disclosures would
allow the disclosure."7,8
It is important to note that the term "health care
operations" is broadly defined. It includes access to
patients' medical information for "[c]ompiling and analyzing
information in anticipation of, or for use in, civil
or criminal legal proceedings." It also includes uses
for "[r]eviewing the competence or qualifications of
health care professionals, evaluating practitioner and
provider performance, health plan performance, conducting
training programs in which undergraduate and graduate
students and trainees in all areas of health care learn
under supervision to practice as health care providers.
. ." 9
Will the proposed privacy regulations guarantee
patients the right to inspect and copy all information
related to their medical care?
There are no guarantees that health care organizations
must let patients inspect and copy all
information related to their medical care. Curiously,
page 59926 of the regulations states:
"We propose that individuals be able to obtain
access to protected health information about them, which
would include a right to inspect and obtain a copy of
such information. See proposed § 164.514."
However, the referenced section says that under certain
circumstances--such as when information is compiled
for use in a legal proceeding--a covered entity (hospital,
clinic, doctor's office, etc.) may deny an individual's
request to obtain information. HHS explains:
"In § 164.514(b)(1)(v), we are proposing
that covered plans and providers be permitted to deny
a request for inspection and copying if the information
is compiled in reasonable anticipation of, or for use
in, a legal proceeding. . . For example, when a procedure
results in an adverse outcome, a hospital's attorney
may obtain statements or other evidence from staff about
the procedure, or ask consultants to review the facts
of the situation for potential liability. Any documents
containing protected health information that are produced
as a result of the attorney's inquiries could be kept
from the individual requesting access." 10
Who will most likely want to obtain a copy of all
information related to his medical care? Someone who
feels he's suffered an adverse outcome or been injured
would want to get a copy of newly obtained information
related to medical malpractice. Yet, it appears that
under the proposed privacy regulations, a request for
information related to medical malpractice could be
denied. That information could be important for seeking
follow-up care related to an adverse outcome or injury.
Moreover, if the request is denied, the only recourse
is to complain to the entity (i.e., hospital, provider,
or clinic) or file a complaint with the Secretary of
Will individuals be able to sue if their medical
confidentiality is breached?
No, individuals won't be able to sue under the proposed
medical privacy regulations. The regulations specifically
"There is no private right of action for
individuals to enforce their rights, and we are concerned
that the penalty structure does not reflect the importance
of these privacy protections and the need to maintain
individuals' trust in the system."12
Individuals can't sue, but the federal government
may impose penalties on providers, hospitals, and other
organizations that breach patients' medical privacy.
Individuals, not the federal government, should be compensated
for invasion of their medical privacy.
What can Congress do to truly protect patients'
Congress could repeal the HIPAA section that requires
the adoption of a "unique health identifier" (patient
ID number) to tag and track individuals' medical records
electronically. Representative Ron Paul (R-TX) has introduced
legislation (H.R. 220) that would do just that.
The only way individuals will truly control the privacy
of their own medical information is if: (1) government
enforces, not eliminates, patient consent forms for
disclosure of medical information; (2) individuals,
not government, decide if they want their medical information
compiled in a centralized database; (3) individuals,
not government, decide who has access to their medical
records, except under very limited circumstances; and
(4) individuals are not forced to accept a "unique health
identifier" for tagging and tracking their medical records
Moreover, individuals who agree to unique health identifiers
should choose their own personal identification numbers
(PINs) for their electronic medical records, just as
they do for their own bank accounts. Individuals could
then decide whether to make their health PINs available
to all ambulance services, hospitals, providers, researchers,
government agents, and the many others who want access
to patients' medical records.
Finally, if a health care organization or provider
breaches a contract of nondisclosure, then individuals
should have the right to sue.
summary report was prepared by Sue Blevins, president
of the Institute for Health Freedom and Robin Kaigh, Esq.,
a private practicing attorney. This summary report was
based on the authors' review of the HHS proposed privacy
regulations published in the Federal Register.
Nothing in this summary report should be construed as
legal advice or as an attempt to support or hinder the
passage of any legislation pending before Congress. November
[The proposed medical privacy regulations were published
in the Federal Register, Vol. 64, No. 212, pp.
59917-60065, Wednesday, November 3, 1999.]
Source: Health Insurance Portability and Accountability
Act of 1996 (P.L. 104- 191), enacted August 21, 1996.
Title II, Subtitle F, Sec. 1173(b) states "The Secretary
[of Health and Human Services] shall adopt standards
providing for a standard unique health identifier for
each individual, employer, health plan, and health care
provider for use in the health care system." (This section
of the law is similar to a section of the original Clinton
health care plan [S. 1757] introduced in 1993.) [Note:
(2/3/2000) For an update on the unique health identifier,
see the following article: What's
Happening with the Unique Health Identifier.]
The HHS White Paper titled "Unique Health Identifiers
for Individuals, A White Paper" is posted at the following
Web site: (http://www.forhealthfreedom.org/hhswhitepaper).
Federal Register, p. 59941. See also pp. 60050-60051
"Subpart B--Preemption of State Law." This section explains
the terms under which State law will be preempted.
Ibid., p. 59928.
Ibid., pp. 59925-59926.
Ibid., pp. 60056-60059. See § 164.510 "Uses and disclosures
for which individual authorization is not required."
Subsection (h) notes that information can be shared
for directory purposes, provided that, the individual
has agreed to such disclosure.
Ibid., pp. 59933-59934.
Ibid., p. 59983.
Ibid., pp. 60059-60060.
Ibid., pp. 59923-59924.
Did you know that under the proposed privacy regulations,
individuals will not be able to sue if their medical
privacy is invaded?