Printer Friendly

HIPAA's real effect: the end of medical privacy; A new dilemma for physician executives.

Every American's entire medical record became an open book on April 14, 2003, the final effective date for compliance with the amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule. On that day, every American lost the right to consent to the release of his/her medical records, as a matter of federal law and policy.


The administration did not inform the nation when it eliminated every individual's right to consent to the release of his/her medical records in a few sentences buried deep within the amendments to the privacy rule. (See 67 Fed. Reg. 53,182, August 14, 2002).

The lack of clear notice also contributed to the media's and the public's focus on compliance, instead of on the loss of the right to consent. The far-reaching effects of the current regulations have yet to be appreciated by the public at large, by the media or by physicians.

The amendments to the HIPAA privacy rule grant breathtakingly broad and unprecedented powers to both private corporations and government entities to collect and amass the individual medical data of every person in the United States.

The new doctrine of federal regulatory permission gives over 600,000 "covered entities" and their innumerable business associates the right to access every American's cradle-to-grave medical records without consent, without notice and without recourse.

Even if treatment is paid for out-of-pocket or an individual never has another contact with the health care system, his or her personal health information may now be accessed for purposes of "health care operations."

In announcing the amendment to the privacy rule, the U.S. Health and Human Services Department (HHS) stated that "the consent provisions in 164.506 are replaced with a new provision at 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations" (67 Fed. Reg. at 53,211).

In a briefing to congressional staff on August 19, 2002, Jim Pyles, a medical privacy expert, wrote that: "The privacy rule applies to covered entities and their business associates."

Covered entities are health plans (such as HMOs and Medicare Part A and B), health care clearinghouses (entities that process health information), and health care providers (any person or entity who furnishes, bills or is paid for health care). Business associates are a broad range of entities and individuals that provide services to or for covered entities. (160.103)

HHS estimated that the privacy rule affects "over 600,000 entities and virtually every American." (66 Fed. Reg. at 12,739) The health information that can be covered by the privacy rule is virtually any identifiable health information relating to the "past, present, or future physical or mental condition of an individual." (164.501)

The amendments to the privacy rule permit these covered entities and business associates to use and disclose identifiable health information for three broad purposes--treatment, payment and health care operations. (67 Fed. Reg. at 53,211)

Many of these purposes, particularly health care operations activities, are related to the business operations of covered entities rather than the need to provide health care to an individual. They include, for example, business planning and development, and business management and general administrative services.

The definitions of treatment, payment and health care operations are so broad that they encompass most of the uses and disclosures of health information.

Under the amendments, hundreds of thousands of entities and individuals nationwide will be able to use and disclose identifiable health information without the patient's consent or permission so long as they contend that they need it for a purpose related to treatment, payment and health care operations.

It is unlikely that any identifiable health information would be immune from use and disclosure without the patient's consent under this standard.

Dilemmas for physician executives

The elimination of the right to medical privacy in the HIPAA regulations poses profound ethical and legal dilemmas for physician executives.

If the amendments to HIPAA are allowed to stand, the loss of consent will radically alter the physician-patient relationship and destroy the trust that patients must feel in order to share sensitive medical information.

If there is one thing in the over 1,500 pages of dense federal regulations that every patient will come to understand, it is the loss of the right of consent--that is, the right to control the use and disclosure of one's own individual health information.

When patients realize neither they nor their treating physicians have the right to stop the flow of sensitive medical information out of doctor's offices and other treatment sites, they will vote with their feet. They will avoid medical care for as long as possible, they will omit sensitive information or they will provide false information to try to protect themselves.

If the loss of medical privacy stands, it may also create a "black market" of completely private medical care for those few individuals who can afford it.

And finally, if this new federal doctrine eliminating the right to consent is not reversed, currently existing stronger medical privacy laws in every state will fall as industries that profit from access to identifiable medical information pressure each state legislature to eliminate the right of consent. Pressure to weaken existing privacy laws is already underway in Texas and Oregon.

In effect, the Hippocratic Oath--the foundation of medical ethics and the most important of all patients' rights--has been rescinded by federal decree.

Privacy notices

The HIPAA regulations provide only a floor for patient privacy, not a ceiling. Most HIPAA attorneys have not advised clients, including institutions, health plans, hospitals, group and solo practice physicians, and other covered entities of the extent of their legal and ethical obligations under the HIPAA privacy rules.

They have neglected to inform clients that they are required to give patients notice about how to utilize greater medical privacy protections contained in state laws.

Furthermore, HIPAA specifies that physicians and health professionals should continue to use and follow the longstanding professional codes of ethics for their field or specialty and should develop privacy policies and notices in accordance with these traditional ethical principles.

Sample privacy notices were included as part of the basis for a lawsuit filed against HHS on April 10, 2003, in federal district court in Philadelphia, Pa. The lawsuit aims to overturn the amendments to HIPAA, which eliminate the right to consent. (See Citizens for Health v. Tommy G. Thompson, Secretary, US Dept of HHS, Calif. No. 03-2267 (E.D. Pa.))

As noted in the lawsuit, a review of three sample privacy notices found that patients were not being advised of the existence of more stringent state and common laws governing medical privacy that override the lesser federal protections in the HIPAA floor.

In each case, the privacy notices did not inform patients about how to exercise their rights to prevent access to their medical records under state statutory and common law.

For example, a privacy notice that simply states that "stricter state laws may provide greater protections for people with HIV or AIDS" does not fulfill the legal requirements of HIPAA. (See section 12 in Citizens for Health v. Tommy G. Thompson)

In drafting the HIPAA rule, HHS did not intend for each citizen to be forced to become an expert on the medical privacy statutes in his or her state. The rule requires the covered entities to fully inform patients of their rights under state and common law.

Physician executives may wish to obtain a legal review of any corporate or institutional privacy notices with the common defects described above, in order to be sure that they and their parent facility or employer does not incur liability for omitting required state-specific information about medical privacy laws and information about how patients can exercise their rights to protect their records under state statutory and common law.

Ethical questions

Physician executives are at the nexus of conflicting duties--duties to patients and duties to their employers or parent institutions. The amendments to HIPAA that eliminate the right of consent will add new and uncomfortable ethical and legal burdens.

Corporate legal and fiduciary responsibilities are clearly to shareholders. Physicians' codes of ethics require physicians to put the needs of patients first.

Physician executives can provide ethical and legal guidance to corporations and institutions that view the right of consent as a barrier to treatment or research and do not know the state and common laws and ethical principles that physicians must uphold.

The perspective that physicians provide to employers and institutions can make the case for protecting privacy crystal clear. Without trust, patients will avoid any treatment or tests that have the potential for discrimination, job loss, or shame and embarrassment.

Without trust, they will distort or omit critical information. Then, not only will the quality and efficacy of their care be compromised, but also the accuracy of information in health databases will be corrupted and unreliable.

In the area of mental health, psychiatrists know from direct experience how far many patients and parents will go to protect their children or their jobs, or to hide or omit information to keep others from knowing intimate personal or family information. Patients would conceal crucial medical information if they knew it would be available on the Internet.

In fact, the U.S. Supreme Court recognized that effective psychotherapy cannot exist without an absolute guarantee of privacy.

In Jaffee v. Redmond (U.S. Supreme Court, 1996), justices rejected any balancing test to weigh the needs of private individuals or entities against the right of patients to have privacy. The court noted that it was in the best interests of the nation to have effective psychotherapy available for citizens, so they affirmed the absolute right to privacy of the communications between patient and psychotherapist in recognizing a therapist-patient privilege.

Physician executives may wish to consult with attorneys who specialize in health law if they are unclear about how to protect patient privacy, unclear about how to resolve conflicts between state and federal privacy laws and regulations, or unclear about how to resolve conflicts between legal and ethical duties as an employee or manager vs. duties as a physician.

State medical associations and state licensing boards may also provide legal advice and ethical advice about state and federal medical privacy laws.

Advocating for privacy

Physician executives can advocate with employers, institutions, Congress and government agencies to restore the right to consent and enact other privacy measures. The public strongly supports the right to the privacy of the most sensitive information that exists about them--their medical records.

No single approach to medical privacy can preserve such crucial rights. When the privacy rights of individuals are pitted against corporations and governmental agencies that want unfettered access to the most valuable personal information that exists, eternal vigilance is the only effective response.


Examine why some fear that the new HIPAA privacy rule may actually take away a patient's right to privacy.


* Citizens for Health v. Thompson, E.D., Pa., No. 2:03-CV-2264, 4/10/03; No. 72 HCDR 04/15/03

* Department of Health and Human Services, Office of the Secretary, 45 CFR Parts 160 and 164, "Federal Register", Vol. 67 No. 157, Wednesday August 14, 2002, Rules and Regulations, p 53182-53273

* Hippocrates, "The Oath", Hippocratic Writings, translated by J. Chadwick and W. N. Mann, Penguin Books, 1950


* Humber, JM and Almeder RF (editors), Privacy and Health Care, Humana Press, Inc., Totowa, N.J., 2001.

Barry K. Herman, MD, MMM, CPE, FACPE, a psychiatrist, is director, regional medical and research specialist at Pfizer, Inc. in Philadelphia, Pa. He can be reached by phone at 610-687-4354 or by e-mail at The opinions expressed by Dr. Herman do not necessarily reflect those of Pfizer, Inc. or its agents.


Deborah C. Peel, MD, is a psychiatrist and the president of the APPEALforPRIVACY foundation, past president of the Texas Society of Psychiatric Physicians, and a member of the Council of Advisors of the Michael Tigar Human Rights Center. She has testified before Congress and HHS. Her testimony on genetic privacy can be found at She can be reached by phone at 512-474-9995 or by e-mail at


By Barry K. Herman, MD, MMM, CPE, FACPE and Deborah C. Peel, MD
COPYRIGHT 2004 American College of Physician Executives
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Point
Author:Peel, Deborah C.
Publication:Physician Executive
Date:Jan 1, 2004
Previous Article:Dancing through the pain: physician executive launches new business to treat patients with chronic pain.
Next Article:HIPAA privacy: what is the dilemma?

Related Articles
Medical Privacy: From the 4th Amendment To HIPAA.
HIPAA compliance, part 1: who are your "business associates"? The answer matters, because you are responsible for their adhering to HIPAA privacy...
The HIPAAcratic oath: do no harm to patient data. (Implementing HIPAA and Other Compliance Programs).
HIPAA update: how the Health Insurance Portability and Accountability Act affects your business.
HIPAA privacy: what is the dilemma?
Attacking privacy.
The HIPAA privacy rule and adolescents: legal questions and clinical challenges.
The changing landscape of pharmaceutical medicine.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters