() Comments
Whose records? Does medical privacy law hinder privacy?
By David Steinkraus
Journal Times
A Journal Times editor went to the dentist, and when she picked her medical records folder off a reception desk to look at it, the office manager publicly and loudly rebuked her. Perhaps the manager was incensed over a violation of procedure, or was venting anger from something else, but the editor was confused about her rights to look at her own health records.
More than 10 years after it was passed, the Health Insurance Portability and Accountability Act (referred to by everyone as HIPAA), is still causing confusion in part because people who have to apply it don’t necessarily understand it. Beyond the application of rules lies the broader issue of whether people have lost privacy.
The need
“HIPAA was necessary,” said Peter Swire, a law professor at Ohio State University. In the Clinton White House he was coordinator for the HIPAA rules as they were being drafted. “During the 1990s, health-care payments shifted from paper to electronic. That meant that patients’ medical records were flying around in electronic form, and Congress correctly said that security and privacy and security should be built in at the same time. Before HIPAA we had no national medical privacy law.”
“HIPAA’s done a few things very well,” said Joy Pritts, an associate research professor with the Georgetown University Health Policy Institute. “First, it’s made sure that the people in every state had the right to access their medical records. It also has raised the awareness of privacy around medical records.”
That seems to be both the blessing and the curse. In states where patients had no right of access to their personal health information, they got some, attorneys say. But HIPAA may also be used instead of a stronger state privacy rule. That’s the case in Wisconsin.
“And when the law came out, the big thing was it carried a big stick,” he said. Both fines and jail time are possible for people violating HIPAA rules.
If someone objects to a release of personal information, Kaminski said, that person is encouraged to first seek a solution by talking with the offending organization. If there is no satisfaction, the matter can be referred to the Office of Civil Rights in the federal Department of Health and Human Services.
However, the federal government has not been vigorous about enforcing the law, Swire said. The office of civil rights hasn’t assessed any monetary penalties. There have been a few criminal cases brought under the statute, but all have been by individual U.S. attorneys, none by the Justice Department in Washington. If Health and Human Services falls down on enforcement, there are no courts to fall back on, Swire said.
Individual have no right to sue for a violation of privacy under HIPAA. Wisconsin law does allow that.
It would take an act of Congress to restore the power of individuals to sue.
No consent, no privacy
For attorney Jim Pyles, HIPPA has undercut centuries of patient rights. Pyles is a founder of Powers Pyles Sutter & Verville in Washington, D.C. His firm has represented doctors at odds with HIPAA and continues to work for the American Psychoanalytic Association.
Coupled with the problems that Pyles says he sees in the law itself is a leaky health information system typified by the lost Veterans Administration laptop that contained information on thousands of people. In 1991, workers at pharmaceutical company Eli Lilly released on the Internet an e-mail list of 600 people taking Prozac. In a report issued at the beginning of this year, the Government Accountability Office, the investigative arm of Congress, said the federal government does not have adequate security measures in place for the electronic exchange of health information. Once those records are on the Internet, Pyles said, they’re available forever to anyone anywhere with a computer and Internet access.
What happened to HIPAA, he said, was the Bush administration. Along with many other regulations implemented in the last days of the Clinton administration, the HIPAA rules were put on hold when the Bush group took power.
Some of the definitions were very broadly interpreted in order to permit widespread sharing of health information, but the biggest issue is that the need for patient consent was minimized.
Without the right to consent to how information is used, any notion of privacy becomes meaningless.
“So this is not a new concept,” Pyles said, “and when someone says, ‘Oh, HIPAA is better than state law,’ then they’re doing a couple things. One is, they’re assuming better is more disclosure. And there’s no doubt that when you eliminate someone’s right or civil right — which privacy is — the system becomes more efficient. It’s a lot more efficient, for example, to kick in your door and search your home without a warrant — very efficient. But we as citizens like to think that as long as we obey the law and don’t pose a threat to society that we have a right to be let alone. That’s a kind of a uniquely American concept, and you’ll find it embedded in most of the first ten amendments to the Constitution ... and you’ll find it embedded in standards of medical ethics and state law.”
HIPAA doesn’t officially pre-empt state laws, but Pyles said that the effect is that it does. If someone handling your information does not need your consent to share it, you’ll never know whether your information was passed on, leaving you no way to assert rights under state law.
Now, unfortunately, HIPAA is becoming the de facto nationwide standard for privacy laws, which means that it is not only a floor for rights but also a ceiling, Pyles said. “As I often say, when the floor becomes the ceiling the consumer has very little place to stand.”
Control to you
There’s a new wrinkle in electronic health information, and the most visible example is Microsoft Corp. which several weeks ago announced that it intended to set up an electronic warehouse where people could store their health records and then make them available to any health care provider. Microsoft doesn’t fall under the definition of a health care organization in HIPAA, and therefore is not subject to its privacy rules.
Nor is Microsoft the only one. Google plans to enter this market, said Pritts, the Georgetown professor, and several major employers have formed their own consortium to store records on several million employees. None of these existing or proposed projects would be subject to HIPAA privacy rules.
“And what has happened since HIPAA became effective is that the technology has outgrown the law in just this short time,” Pritts said.
An advisory committee in the federal government has proposed widening the definitions in HIPAA to include under its security umbrella any organization which handles personal health records. There is talk on Capitol Hill about changes, Pritts said, but there is also great reluctance to reopen HIPAA.
Peg Schmidt, chief privacy officer for Aurora Health Care, said she would be leery of transmitting records to Microsoft because it is not restricted by HIPAA. Based on what he’s heard, Pyles thinks it may be a step in the right direction because only the patient will control access to those records, which is the definition of privacy.
Among all the issues clamoring for public attention, none is of greater importance than medical records privacy, Pyles said, because at the heart of this issue is the reliability and quality of our health care system. Consider, he said, that getting proper treatment depends on telling a physician intimate details of your life and trusting that this information won’t be released to embarrass you or be used against you.
If people lose that trust, medical records may be compromised, may become worthless, and with it will go health care.
Special Offer: Get 5 Weeks of the Journal Times for $7!
|
 |
|
| Whose records? Your records, your rights | Thanksgiving: From scratch to easy does it |
