The Michigan Society for Psychoanalytic Psychology
  MSPP News   

June 2003, Volume 13, No. 2

MSPP Home         Newsletter Archives         Reading Room

HIPAA Questions and Answers

[This analysis of the modified, final federal medical privacy rule was prepared by Sue Blevins, President, Institute for Health Freedom and Deborah Grady, Research Associate, Institute for Health Freedom.  The full text of this article (which has been slightly abbreviated, here, for reasons of space), with source citations, can be found at http://www.forhealthfreedom.org/Publications/Privacy/TruthAbout.html]. 

Does the federal medical privacy rule provide consumers greater control over the flow of their personal health information?

No, under the modified, final federal medical privacy rule, patients will not be in control of deciding whether they want health insurers, doctors, and medical data-processing companies to share their personal health information—including genetic information—with others. Rather, health insurers, doctors and medical data-processing companies were granted "regulatory permission" to share patients' health information for any activities related to patients' health care treatment, processing of their health care claims, or "health care operations"—a term which encompasses many activities unrelated to patients' direct care (such as fundraising and permitting government officials to search patients' medical records looking for fraud and abuse activities).4

Also, under the modified, final federal medical privacy rule, health insurers, doctors, and medical data-processing companies will not need to get patients' written, informed consent before sharing patients' personal health information—including past medical records and genetic information—with many third parties…. 

Does the federal medical privacy rule prevent data-processing companies, health care providers, health plans and/or government agencies from compiling individuals' personal health information in databases without individuals' consent?

No, there is nothing in the rule that prevents data-processing companies, health care providers, health plans and/or government agencies from compiling individuals' personal health information—including genetic information—in databases without first obtaining individuals' consent.  

How Does Congress or HHS Define "Medical Privacy" or "Privacy"?

They don't. Ironically, while the federal medical privacy rule includes many definitions, the terms "medical privacy" or "privacy" are not clearly defined in the rule.6 Instead, a federal committee composed primarily of fact-gathering experts was given the legal authority to advise specifically the U.S. Department of Health and Human Services (HHS) in establishing standards for Americans' medical privacy.7

Are patients guaranteed the right to sign private contracts with their doctors to withhold personal health information from third parties?

No, patients cannot withhold their personally identifiable health information from the U.S. Department of Health and Human Services. In fact, the rule creates a massive federal mandate that requires every doctor and other health care practitioner to share patients' records with the federal government—HHS—without patient consent.8 The federal government even has the right to access an individual's psychotherapy notes in order to monitor compliance with the rule.9  

Will patients be guaranteed the right to an accounting of to whom and when their personal health information was disclosed for health care services related to their treatment and processing of health claims?

No, patients will not receive an accounting of to whom and when their records were disclosed for most health care services, including activities related to treatment, payment, or health care operations (a broad definition encompassing many uses).10 Patients' personally identifiable health information is going to be flowing over the Internet—without patients' permission—for purposes related to treatment, payment, and health care operations. But patients won't even know this is happening because they won't be able to obtain an accounting of disclosures for treatment, payment, and health care operations.

Do President Bush's modifications to the federal medical privacy rule (published August 14, 2002)  strengthen or weaken Americans' medical privacy?

It is important to note that the Clinton Administration initially proposed prohibiting doctors and hospitals from getting patients' consent before releasing their medical information.11 But after receiving more than 52,000 public comments, the Clinton Administration revised the rule and added a weak, coercive consent provision. However, the Bush Administration is legally permitting health insurers, doctors and medical data-processing companies to release patients' personal health information without asking patients for their permission. Instead, these entities can simply provide notices of how the information will be shared. This policy takes the active decision-making authority away from patients and shifts it to doctors and hospitals. This is a major shift away from the precious health care ethics that we have honored for many years in this country: the ethics of consent and confidentiality.  

In addition to allowing patients' medical records to be disclosed for treatment, payment and health care operations, who else can see patients' records without patients' consent?

Under the Bush Administration's modified rule (as under the Clinton Administration's final rule), Americans' medical records can be disclosed for many broadly defined purposes without patient consent, including, but not limited to, the following:

  • Oversight of the health care system

  • FDA monitoring (including dietary supplements)

  • Public health surveillance and activities

  • Foreign governments collaborating with U.S. public health officials

  • Research (if an IRB or privacy board waives consent)

  • Law enforcement activities

  • Judicial and administrative proceedings

  • Licensure and disciplinary actions.12

 Why was the federal medical privacy rule created in the first place?

The federal medical privacy rule was established as dictated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that fosters the development of a national health information network through standardized codes for all health care services nationwide.15 The HIPAA law requires health plans to use national standardized codes for electronic transactions for payment of medical care. The HIPAA law additionally requires that unique health identifiers be assigned to four groups, including every: (1) individual, (2) health care provider, (3) employer, and (4) health plan.16 Those identifiers will facilitate electronic transactions for all types of health care, whether services are paid by government or privately. (Note: the individual identifier has been put on hold temporarily.) The result will be that each patient's visit to a doctor or hospital will be easily tracked.

It is becoming increasingly simple to transfer electronic medical records over the Internet. With just a click of a mouse, it will be much easier to access and share individuals' records with many third parties. That is why all Americans should become informed about the federal medical privacy rule and demand the right to control their most personal information—their health information, including genetic information.

 

MSPP Home         Newsletter Archives         February 2003 News          Reading Room