What Every American Needs to Know about the HIPAA Medical Privacy Rule*
Updated Fall 2009
Did you know that under the federal HIPPA (Health Insurance Portability and Accountability Act of 1996) medical privacy rule, your personal health information—including past records and genetic information—can be disclosed without your consent to large organizations such as the following?
- Data-processing companies
- Researchers (in some instances)
- Doctors (even those not treating you)
- Law enforcement officials
- Public health officials
- Federal government
Under the HIPAA rule all of the above are legally permitted to access your personal health and genetic information without your permission.
How did this federal rule come about?
Why Federalize Privacy Law?
Who was behind it and lobbied for it?
What can you do to protect your medical privacy?
Until recently, health privacy was considered a matter regulated by the states. Every state has some type of law to protect citizens’ medical records. However, abiding by 50 different state privacy laws has proved difficult for the industries that want to create a national health information system. Thus, leaders of medical, hospital, insurance, and other industries have been working for over a decade to nationalize standards for electronic medical records.
Who was Behind the National Electronic Health Information System?
In 1991, the Workgroup for Electronic Data Interchange (WEDI) was established to foster the development of national electronic medical codes and electronic payment systems. WEDI succeeded in getting many of its goals incorporated into the Clinton health care plan. President Clinton’s 1993 Health Security Plan included a provision titled “Administrative Simplification.”
That section of the plan called for establishing a national health information infrastructure. It required that unique identifiers be assigned to four groups for processing medical claims electronically, including every: (1) individual, (2) employer, (3) health insurer, and (4) health care provider. It also called for creating national codes for medical claims and for new, federal medical privacy rules.
HIPAA Law Includes Mandatory Unique Health Identifiers
The bottom line is that you can’t create a national health care system without standardized information.
The American people clearly rejected the Clinton plan to nationalize health care. However, the Administrative Simplification provision was tucked away in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was signed into law on August 21, 1996 (Public Law 104-191).
Under the HIPAA law, the following four groups are required to have unique identifiers for tracking medical records and electronic claims processing, including every:
Unique Health Identifiers Put on Hold—but Only Temporarily
- health insurer, and
- health care provider.
Due to public outcry, federal funding for assigning every individual a unique health identifier has been put on hold temporarily over the past few years. But unless the Administrative Simplification provision of the HIPAA law is repealed, all Americans could be assigned a number for tracking their medical information from cradle to grave.
Also, aware that the American people were concerned about medical privacy, legislators included a provision in HIPAA requiring that a medical privacy law be passed by August 21, 1999, or the secretary of the U.S. Department of Health and Human Services (HHS) would have to draft such a rule. Congress missed its self-imposed deadline, and the authority to establish federal regulations for medical privacy shifted to HHS under the Clinton administration.
Clinton Administration Drafted a Federal “Medical Privacy” Rule
In November 1999, the Clinton administration proposed federal regulations relating to medical privacy. It proposed prohibiting doctors, hospitals, and others from obtaining patients’ consent before releasing their medical information.
However, the public spoke out against the proposed rule and removal of consent. HHS received more than 52,000 comments during the public comment period. The issue most discussed was patient control of personal health information.
A final HIPAA rule was released on December 28, 2000, just before President Clinton’s departure. In response to public outcry, HHS restored patient consent. That version of the HIPAA rule required that individuals give their consent before medical records could be used for health care treatment, payment, or “health care operations”—a broad term encompassing many activities. However, many other third parties did not need patients’ consent before obtaining their medical records, including:
- FDA (for monitoring drugs and dietary supplements),
- law enforcement,
- researchers (in some instances),
- public health officials,
- federal government, and
- medical licensing boards.
Bush Administration Eliminated Patient Consent
Some industries were strongly opposed to the consent provision as it appeared in the December 28, 2000 final HIPAA rule. They lobbied the incoming Bush administration to eliminate patient consent. In March 2002, HHS proposed to modify the HIPAA rule so that health care insurers, hospitals and others could transfer medical information—without patients’ consent—to pay claims, treat patients, and do other tasks. The Bush administration published its final modifications to the HIPAA rule on August 14, 2002. The final rule can be found in the U.S. Code of Federal Regulations, see 45 CFR 160 and 45 CFR 164.
Consequently, for the first time in our nation’s history, the federal government is now giving the medical industry legal authority to decide for individuals whether personal health information can be released to others without individuals’ consent. Individuals will not get an accounting of when their medical records are disclosed for routine (most) purposes.
What’s more, some powerful industry groups support pre-empting state laws regarding medical privacy. Given their past lobbying success, it’s likely that state laws soon could be pre-empted by the federal HIPAA rule.
How the Economic Stimulus Law Changed the HIPPA Rule
There are conflicting reports about how the economic stimulus law affects citizens’ health privacy rights. This is why the Institute for Health Freedom (IHF) offers the following facts to show that the economic stimulus law does NOT give individuals the final say over whether their personal health information can be disclosed to many third parties. See: How the Economic Stimulus Law Affects Your Health Privacy Rights.
What Can You Do to Protect Your Medical Privacy?
The HIPAA rule applies to all citizens, even if you pay privately for health care. Thus, if you want to restore true medical privacy and control who has access to your personal health and genetic information, you should:
(1) get Congress to pass a law that ensures your authority to decide who can access your medical records; and
(2) work with your state legislators and governor to make sure stronger state medical privacy laws are not pre-empted by the HIPAA rule.
It’s your personal health information and you should be the one to decide who has access to it!
President Clinton’s 1993 Health Security Plan, "Health Security Act," H.R. 3600 (Introduced in House), November 20, 1993 (see "Subtitle B--Information Systems, Privacy, and Administrative Simplification," beginning on page 861).
"Health Insurance Portability and Accountability Act of 1996," Public Law 104-191 (See Title II, "Subtitle F, Administrative Simplification," beginning on page 87 (110 Stat. 2021).
"The Final Federal Medical Privacy Rule: The Definitive Guide," Institute for Health Freedom, March 6, 2003.
HIPAA Rule Proposed by Clinton Administration: "Standards for Privacy of Individually Identifiable Health Information; Proposed Rule," Federal Register, Vol. 64, No. 212, November 3, 1999, p. 59918-60065.
HIPAA Rule Finalized by Clinton Administration: "Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 65, No. 250, December 28, 2000, pp. 82462-82829.
HIPAA Rule Modified by Bush Administration: "Standards for Privacy of Individually Identifiable Health Information; Final Rule," Federal Register, Vol. 67, No. 157, August 14, 2002, pp. 53182-53273.
"Feds Seek to Harmonize State Health-Privacy Laws," Institute for Health Freedom, February 2008.
* By Sue A. Blevins, president of the Institute for Health Freedom and Robin Kaigh, Esq., an attorney dedicated to patients’ health privacy rights. This historical summary is based on an analysis published by the Institute for Health Freedom in 2003. (Updated Fall 2009 by Sue A. Blevins.)