By Chris Lane
By Jeff Balke
By Aaron Reiss
By Angelica Leicht
By Dianna Wray
By Aaron Reiss
By Camilo Smith
By Craig Malisow
Congress's failure to enact a medical-privacy law triggered a requirement that the secretary of Health and Human Services develop standards to protect health information that is maintained electronically. A draft of the proposed rules was released in late October.
It's not surprising that reaction among those able to wade through the 550-page document was mixed. For instance, the Center for Democracy & Technology in Washington, D.C., said the proposals were a step in the right direction. The center and others were pleased to see that HHS proposed giving all Americans access to their own health information, as well as the right to an accounting of disclosures by physicians and health plans for purposes other than treatment or payment. Also, the new regulations would prohibit health plans from conditioning treatment or physician reimbursement on a patient's agreement to disclose information.
However, mental-health professionals swiftly criticized the proposed regulations, saying they would actually give patients less control over their health records.
Of particular concern is the provision that would allow the use of patient-identifiable information, without consent, for more than a dozen purposes, including law enforcement, judicial proceedings, research and the collection of health data by government agencies. The regulations would also allow patient-identifiable records to be obtained for "health care operations," a term that encompasses a broad range of functions, including "compiling and analyzing information in anticipation of, and for use in, civil or criminal legal proceedings."
While the new rules cover health plans, health care providers and clearinghouses, they do not limit how other entities that receive health information can use and disclose it.
The health care industry's record on privacy is already "atrocious," says Karen Shore, director of the National Coalition of Mental Health Professionals and Consumers. The proposed regulations won't remedy that, she says. In fact, they might make people feel even less secure.
"It's like an interpersonal relationship," she says. "You figure out who you can trust and who you cannot by who tries to gain control and power over you and who treats you with dignity and respect.
"When you add this kind of legislation that says government agencies and researchers should have access to information without the patient's permission and without necessarily even telling them about it, that's a horror show. That's 1984."
The comparison to George Orwell's literary vision of the omnipresent "Big Brother" is an exaggeration, says UH's Mark Rothstein, a member of the National Committee on Health and Vital Statistics, which advises the government on medical records privacy and other health-related issues. Rothstein says the proposed regulations are an attempt to reach a "happy medium" between the right to privacy and the "legitimate needs" of public-health researchers, law enforcement agencies and others.
Under the new rules, for example, physicians and health plans would be required to tell people how their information is used and disclosed, and to put in place physical safeguards to protect patient confidentiality and avoid unauthorized access to electronic records.
Still, Rothstein says, "I think the regulations will be revised in dozens of places" before they are finalized early next year. "Some of the exceptions are too broad and will probably need to be closed up."
Until then, it's not clear how the federal rules will affect state patient-confidentiality laws. All 50 states limit the disclosure of medical information collected by public agencies. In Texas, for instance, the state health department maintains a cancer registry, which includes identifying information. The state Health and Safety Code, however, prohibits public disclosure of data in the registry that could identify whose records were reviewed.
The state also requires that incidents of communicable diseases be reported. That data is also confidential, and disclosure is limited to health officials for the purposes of treating and controlling the disease.
As for overall state protection of confidential medical information, Texas appears to fall somewhere in the middle. Like most states, Texas has no constitutional prohibition against release of personal health data, but instead relies on different statutes. In most instances, privacy is dictated by the state Medical Practice Act, which restricts the disclosure of medical data by physicians, hospitals and HMOs, but not by insurance companies.
Texas also allows disclosure of patient-identifiable data in most court proceedings, including criminal prosecutions where the patient is a victim, witness or defendant. The state also allows disclosure of confidential information to government agencies; for audit and research purposes; and to individuals, corporations or government agencies involved in the collection of fees for medical services.
All that really means is that Texans have no way of knowing how much of their confidential medical information ends up beyond the physician's office and their health plan.
"As a general rule, when you sign up for an insurance plan, whether you know it or not, you have agreed to have your records shared," says C.J. Francisco, senior counsel for the Texas Medical Association.
One area of growing concern for the association is self-insured companies that have access to their employees' health records. Last year employees of a large Texas company received invitations to attend a seminar on depression. Apparently, whoever administered the company's health plan combed through medical records and targeted those who had been prescribed antidepressants.