No True Health Privacy?
Many Citizens Complaining about Medical Privacy
Breaches Are Not Being Helped by the Federal Rule
November 22, 2004
The federal government and many industry groups have led Americans to believe that the federal medical privacy rule will protect the confidentiality of individuals' medical records. But many people who filed complaints with the U.S. Department of Health and Human Services (HHS) alleging privacy breaches must have been shocked to learn that the rule does not protect their privacy as they assumed it would.
GAO Report on the Federal Health Privacy Rule
According to a recent General Accounting Office (GAO) study, citizens filed 5,648 complaints with HHS alleging abuses of privacy during the first year that the federal health privacy rule took effect. As of May 2004, about half (2,741) of the complaints had been processed by HHS.
Of the 2,741 cases that have been reviewed, the government dismissed 971 (35.4%) of those complaints because the so-called federal medical privacy rule doesn't prohibit the sharing of patients' data in many instances. In fact, the rule actually authorizes many third parties to access patients' medical records without their consent.
Another 484 complaints (17.7%) also were dismissed because the alleged abuser isn't required to abide by the rule. That is because the rule applies to, and will be enforced on, only three categories of professionals (and their business associates): health-care providers, health-care clearing-houses, and health insurers. Anyone else not defined as a "covered entity" by the rule (banks, lawyers, many employers, etc.) aren't required to abide by the rule. Thus, the federal government will not pursue citizens' complaints of privacy breaches against those groups. And citizens have no other recourse under the federal rule.
What's most interesting about the GAO study is the section titled "Individual Privacy Rights." That section nowhere says individuals have a right to privacy or the right to say who may or may not see their records. It is so obvious from that section of the report that the only "individual privacy rights" citizens have are the rights to:
(1) get copies of their medical records and to ask for amendments to them (they are not guaranteed);
(2) be informed generally about uses and disclosures of their health information (they will not be informed specifically about what information was used/disclosed and to whom);
(3) obtain an accounting of disclosures for purposes other than treatment, payment, or health-care operations (these three categories capture most uses!); and
(4) file complaints of privacy abuses.
Source: "Health Information: First-Year Experiences under the Federal Privacy Rule," September 2004, General Accounting Office Report #GAO-04-965.