Update on the Federal Medical Privacy Rule:
Questions and Answers*
April 2002
Americans are being told they will have stronger medical
privacy protections under the revised federal
medical privacy rule published in the Federal Register
on March 27, 2002.1
However, the following "questions and answers" summary
shows that the revised rule does not provide patients
stronger medical privacy. Rather, it actually weakens
individuals' ability to restrict access to their medical
records.
The following summary is based on a review of the
revised federal medical privacy rule (published March
27, 2002)2
compared to the final federal medical privacy rule (published
December 28, 2000).3
Citations to specific key pages are provided to help
the public, media, and policymakers understand the serious
implications of the rule.
Does the revised federal medical privacy rule provide
consumers greater control over the flow of their personal
health information?
No, under the revised federal medical privacy rule,
patients will not be in control of deciding whether
they want health insurers, doctors, and medical data-processing
companies to share their personal health information—including
genetic information—with others. Rather, health
insurers, doctors and medical data-processing companies
are actually granted "regulatory permission" to share
patients' health information for any activities related
to patients' health care treatment, processing of their
health care claims, or "health care operations"—a
term which encompasses many activities unrelated to
patients' direct care (such as permitting FBI officials
to search medical records looking for fraud and abuse
activities).4
Also, under the revised federal medical privacy rule,
health insurers, doctors, and medical data-processing
companies will not need to get patients' written,
informed consent before sharing patients' personal health
information—including past medical records and
genetic information—with many third parties.
How Does Congress or HHS Define "Medical Privacy"
or "Privacy"?
They don't. Ironically, while the federal medical
privacy rule includes many definitions, the terms "medical
privacy" or "privacy" are not clearly defined in the
rule.5
Instead, a federal committee composed primarily of fact-gathering
experts was given the legal authority to advise HHS
in establishing standards for Americans' medical privacy.6
Are patients guaranteed the right to sign private
contracts with their doctors to withhold personal health
information from third parties?
No, patients cannot withhold their personally identifiable
health information from the U.S. Department of Health
and Human Services. In fact, the rule creates a massive
federal mandate that requires every doctor and other
health care practitioner to share patients' records
with the federal government—specifically the U.S.
Department of Health and Human Services (HHS)—without
patient consent.7
The federal government even has the right to access
an individual's psychotherapy notes in order to monitor
compliance with the rule.8
Will patients be guaranteed the right to an accounting
of to whom and when their personal health information
was disclosed for health care services related to their
treatment and processing of health claims?
No, patients will not receive an accounting of to
whom and when their records were disclosed for most
health care services, including activities related to
treatment, payment, or health care operations (a broad
definition encompassing many uses).9
In just a few years, patients' personally identifiable
health information is going to be flowing over the Internet—without
patients' permission—for purposes related to treatment,
payment, and health care operations. But patients won't
even know this is happening because they won't be able
to obtain an accounting of disclosures for treatment,
payment, and health care operations.
Will President Bush's proposed changes to the federal
medical privacy rule (published March 27, 2002) strengthen
or weaken Americans' medical privacy?
It is important to note that the Clinton Administration
initially proposed prohibiting doctors and hospitals
from getting patients' consent before releasing their
medical information.10
But after receiving more than 52,000 public comments,
the Clinton Administration revised the rule and added
a very weak, coercive consent provision.
However, the Bush Administration is legally permitting
health insurers, doctors and medical data-processing
companies to release patients' personal health information
without asking patients for their permission. Instead,
these entities can simply provide notices of how the
information will be shared. This policy takes the active
decision-making authority away from patients and shifts
it to doctors and hospitals. This is a major shift
away from the precious health care ethics that we have
honored for many years in this country: the ethics of
consent and confidentiality.
In addition to allowing patients' medical records
to be disclosed for treatment, payment and health care
operations, who else can see patients' records without
patients' consent?
Under the Bush Administration's revised rule (as under
the Clinton Administration's final rule), Americans'
medical records can be disclosed for many broadly defined
purposes without patient consent, including,
but not limited to, the following:
- Oversight of the health care system
- FDA monitoring (including dietary supplements)
- Public health surveillance and activities
- Foreign governments collaborating with U.S. public
health officials
- Research (if an IRB or privacy board waives consent)
- Law enforcement activities
- Judicial and administrative proceedings
- Licensure and disciplinary actions.11
Does the federal medical privacy rule provide patients
recourse if their privacy is breached?
No, patients are not guaranteed any recourse other
than the right to complain.12
They can complain to their health care providers or
institutions about privacy breaches. They also can complain
to the Secretary of the U.S. Department of Health and
Human Services. However, the HHS Secretary does not
have to investigate the complaint. The final rule reads
that the Secretary "may," not "shall," investigate complaints.13
Additionally, individuals do not have a private right
of action (they can't sue) if their privacy is breached
under the final medical privacy rule.
Why was the federal medical privacy rule created in
the first place?
The federal medical privacy rule was established as
dictated by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) that fosters the development of
a national health information network through standardized
codes for all health care services nationwide.14
The HIPAA law requires health plans to use national
standardized codes for electronic transactions for payment
of medical care. The HIPAA law additionally requires
that unique health identifiers be assigned to four groups,
including every: (1) individual, (2) health care provider,
(3) employer, and (4) health plan.15
Those identifiers will facilitate electronic transactions
for all types of health care, whether services are paid
by government or privately. (Note: the individual identifier
has been put on hold temporarily for one year.)
The result will be that each patient's visit to a
doctor or hospital will be easily tracked.
In the next few years, it is going to become increasingly
simple to transfer electronic medical records over the
Internet. With just a click of a mouse, it will be much
easier to access and share individuals' records with
many third parties. That is why all Americans should
become informed about the federal medical privacy rule
and demand the right to control their most personal
information-their health information, including genetic
information.
* This update analysis on the federal medical privacy
rule was prepared by Sue Blevins, President, Institute
for Health Freedom and Deborah Grady, Research Associate,
Institute for Health Freedom. Many of the federal medical
privacy rule provisions remain the same as those analyzed
in a previous paper titled "The Final Federal Medical
Privacy Rule: Myths and Facts" by Sue Blevins and Robin
Kaigh, Esq. (February 8, 2001), see [http://www.forhealthfreedom.org/Publications/Privacy/MedPrivFacts.html].
1 "Standards
for Privacy of Individually Identifiable Health Information,"
Federal Register, Vol. 67, No. 59, March 27, 2002,
pp. 14776-14815, [http://www.access.gpo.gov/su_docs/fedreg/a020327c.html].
2 Ibid.
3 "Standards
for Privacy of Individually Identifiable Health Information,"
Federal Register, Vol. 65, No. 250, December 28,
2000, pp. 82462-82829, [http://www.access.gpo.gov/su_docs/fedreg/a001228c.html].
4 Federal
Register, Vol. 67, No. 59, March 27, 2002, pp. 14780,
14812.
5 Federal
Register, Vol. 65, No. 250, December 28, 2000, pp.
82798, 82803-82805; Federal Register, Vol. 67,
No. 59, March 27, 2002, pp. 14810-14812.
6 Federal
Register, Vol. 67, No. 59, March 27, 2002, p. 14777.
7 Federal
Register, Vol. 65, No. 250, December 28, 2000, p.
82802.
8 Ibid.,
pp. 82811, 82805.
9 Ibid.,
p. 82826.
10
Federal Register, Vol. 64, No. 212, November 3,
1999, p. 59941.
11
Federal Register, Vol. 65, No. 250, December 28,
2000, pp. 82525, 82528, 82813-82817.
12
Ibid., pp. 82801-82802.
13
Ibid., p. 82802.
14
"Health Insurance Reform: Standards for Electronic Transactions;
Announcement of Designated Standard Maintenance Organizations;
Final Rule and Notice," Federal Register, Volume
65, No. 160, August 17, 2000, pp. 50312-50313.
15
Ibid., p. 50313. |
|
| How will proposed changes to
the federal medical privacy rule affect your ability
to control the flow of your personal health information? |
|
