What price will medicine have to pay to protect patients’ right to privacy?
By Robert B. Doherty
Protecting the privacy of confidential medical information is something that almost everyone supports. Unlike other issues about which “pro” and “con” camps readily square off, no one really opposes protecting confidential medical information.
All of us are at some point vulnerable to the health care system. We all want to be assured that the information we give during a medical examination will stay with our physician—and not be made available to the prying eyes of unauthorized third parties.
One might expect, then, that writing a law to protect medical record confidentiality would be somewhat easy. On the contrary, it has proven to be a daunting task.
If physicians transmit any information electronically, all individually identifiable medical data they handle will be covered by the new privacy rule.
A perfect example is the 1,500-page rule the Department of Health and Human Services (HHS) published on Dec. 20, 2000, after two years of debate. The rule implements the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA), which itself was passed back in 1996.
HHS had to act because Congress could not agree on a legislative approach to medical-record confidentiality by August 1999, as required by HIPAA regulations. HIPAA required HHS to publish its own rule if Congress failed to act by the deadline.
HHS compiled and published a proposed rule in November 1999. Nearly 53,000 public comments were submitted to HHS in response to the proposal. Last December, more than a year later, HHS published its final rule.
Requirements of the final rule
In general, the final rule states that individuals have the following rights:
- to copy and inspect their medical records;
- to request restrictions on use or disclosure of their protected health information;
- to request corrections to their medical records;
- to demand an accounting of who has access to their information;
- to request written notice of the information practices of “covered entities”; and
- to file complaints with HHS when the rule is violated.
The biggest change in the final rule is that it covers all protected health information, whether that information is communicated electronically, on paper or orally, as long as it is collected by a “covered entity.” Covered entities are defined as health care providers that transmit any health information in electronic form in connection with a HIPAA-standard transaction.
In other words, if you as a physician engage in a single transaction of medical information in electronic form as covered by HIPAA, all individually identifiable medical data you handle—paper and electronic—are covered under the new rule. (The proposed rule, on the other hand, had covered only individually identifiable information that was transmitted electronically.)
Health care providers will have to obtain patient consent before using or disclosing protected health information for treatment, payment or health care operations. A consent includes general terms and must be signed, dated and visually separate from most other permissions.
Physicians and other “covered entities” must also have patients authorize all disclosures for all other purposes. An authorization differs from consent in detail specificity and provision of concrete information about—and control over—privileged health information use and disclosure. Certain exceptions are provided for law enforcement purposes, health oversight and research activities.
The privacy rule preempts state law that contradicts the federal rule or is less stringent. Exceptions can be made if the Secretary of HHS finds a compelling reason related to public safety to allow a state to apply its own law.
Criticisms of the rule
While HHS attempted to address the concerns expressed about its earlier proposed rule, the final rule has been criticized by many in health care.
Consumer advocates, for instance, decried “loopholes” that would allow unauthorized disclosure of medical information for charitable fund-raising purposes. Insurers complained that the rule made it too difficult to process claims and conduct medical review activities. Hospitals fretted about the administrative costs of the rule and asked the Bush administration to reconsider and delay its implementation.
Physicians were generally more guarded in their responses, although many expressed concern about another “unfunded mandate” that would mean more hassles, paperwork and expense. Researchers worried that the new rule’s individual authorization requirements would restrict their ability to obtain population-based data for clinical research purposes.
Principle vs. reality
Why has it been so difficult to write a regulatory framework for medical confidentiality? One reason: Although everyone agrees in principle that individually identifiable information should be protected from unauthorized disclosure, almost everyone has his or her own list of exceptions to this principle.
Insurers need confidential medical information to process claims. Physicians need to share confidential information with their colleagues. Law-enforcement officers want to be able to access confidential information when investigating crimes. The list of proposed exceptions goes on and on.
Another reason: Physicians, hospitals and other health care providers are understandably concerned about the potential administrative costs of compliance. Protecting privacy is a good idea, but finding a way to do it without making physician practices spend big bucks—and countless hours—to make it work is another matter.
Finally, the task is complicated by sheer volume: Millions of patient encounters take place each year with hundreds of thousands of physicians and tens of thousand of hospitals, nursing homes and other health care facilities. Each generates confidential medical information that needs to be protected.
The College’s response
Shortly after the final rule was published, ACP-ASIM’s legislative counsel in the Washington Office completed an eight-page analysis of the key provisions. That analysis has been provided to College Regents, Governors, and members of the Council of Subspecialty Societies and Council of Medical Societies for review and comment. Comments from ACP-ASIM’s volunteer leaders will be forwarded to the College’s Health and Public Policy Committee, which will meet in March to develop recommendations for the Board of Regents on how ACP-ASIM should respond to the new rule.
Our initial analysis suggests that HHS responded reasonably well to the College’s concerns about the earlier proposed rule. In particular, HHS addressed our concerns about loopholes that could have led to improper disclosure of confidential health information without a patient’s consent. The final rule also addressed some, though not all, of the College’s concerns about the potential administrative burden that could be imposed on physicians.
The challenge for the College will be to influence further developments so that the primacy of the patient’s right to have personal health information protected from unauthorized disclosure is preserved. But this right needs to be balanced with the need to exchange privileged information for treatment, research and billing purposes—without imposing excessive administrative burdens on internists to obtain the required consent.
Robert B. Doherty is ACP-ASIM’s Senior Vice President for Governmental Affairs and Public Policy.
Internist Archives Quick Links
Have questions about the new ABIM MOC Program?
One Click to Confidence - Free to members
ACP Smart Medicine is a new, online clinical decision support tool specifically for internal medicine. Get rapid point-of-care access to evidence-based clinical recommendations and guidelines. Plus, users can easily earn CME credit. Learn more