Printer Friendly

Health care records: books open to abuse; the Georgetown Health Privacy Project argues that respecting and protecting privacy improves both individual health care and the system as a whole.

Georgetown University's Institute for Health Care Research and Policy includes the Health Privacy Project (on the Web at, which researches and analyzes medical privacy issues. A major focus is the new federal privacy regulation promulgated by the Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The project also studies medical privacy on the Internet, medical and genetic privacy in the workplace, and bioterrorism and public health and privacy. The latter is intended to ensure that privacy is protected with the increased flow of medical information needed to prevent or detect bioterrorism. The project's Consumer Coalition for Health Privacy consists of about 100 national organizations representing people with disabilities, labor organizations, health care providers, and a range of consumers and patients.

Joanne Hustead, senior counsel of the Health Privacy Project, recently spoke with TRIAL Associate Editor Rebecca Porter about access to medical records and the recently finalized federal privacy regulation.

What is the mission of the Health Privacy Project?

We approach medical privacy as a health issue. We believe that in order to improve access to quality health care, the privacy of people's medical information needs to be respected and protected. We think that protecting privacy and promoting access to quality care go hand in hand.

Already about one in six people engages in some kind of privacy-protective behavior. For example, people will not talk to their doctor about a medical concern they have, or they will ask their doctor to omit information from their medical chart. They doctor-hop to avoid having a consolidated medical record, and, in the worst cases, they don't get care at all. They also pay out of pocket for care--even though they have insurance--because they're concerned their insurance company will learn about a particular condition. These behaviors are not optimal for their own health care.

Do these behaviors skew the data gathered for public health purposes or medical research?

Yes. If the data that goes into research studies is not complete or accurate, or if people are afraid to participate in research, then we all suffer to some extent because of the loss of privacy. There's no question that concerns about privacy keep people from participating in clinical studies.

Who has access to people's health care information--besides doctors, hospitals, pharmacies, and insurance companies?

Drug companies, researchers, public health authorities, pharmacy benefits managers, ambulance drivers, even the florist who sends flowers to the hospital--it's a long list. Employers routinely obtain health care information about their employees. There are lots of ways they get that information: for example, through occupational safety and health exams, fitness-for-duty exams, requests for sick leave or family or medical leave, or the group health plan they sponsor. And through some of these avenues, they get information not only about their employees, but also about their employees' dependents.

I'm not suggesting that in every case access to that information is inappropriate; in some cases it is, but in many cases it is not. We're concerned about making sure that when somebody does have access to a person's health information, it's for a legitimate purpose--that information is used only as necessary, and that its disclosure is limited.

If health care information wasn't shared to some extent, our health care system would shut down. But it's critical to have limits on how it's collected, used, and disclosed. That's really what privacy laws are all about: setting those kinds of limits.

The Americans with Disabilities Act (ADA) protects workers from being fired for a medical condition. But if an employer has access to employee health information, will it use the information in making hiring decisions? What types of abuses are going on?

The ADA is an important federal law that protects against discrimination on the basis of disability. But as it's been construed by the courts, it protects fewer and fewer people--even people who, most would agree, have an actual physical disability. When it comes to someone who just has a medical condition, but not a disability, the ADA does not really provide much protection, if any.

We are concerned that, for example, an employer would find out that an employee has gotten help for depression. Even if the employee is getting care, the health plan is paying for it, and the employee is perfectly functional on the job, there may come a time when the employer has to decide which employees to promote or lay off. What's to stop the employer from reasoning, "We have this employee who we think in the future may not be the best employee," or "We think this employee might cause us to spend a lot through our health care plan"? The ADA is not going to protect this person from an adverse employment action unless the person has an actual disability or is regarded as having a disability. And that is becoming a very small box for people to fit into.

Let me give you an example. A woman who lives in North Carolina began taking preventative drug therapy for a genetic deficiency. Her employer learned about it when she submitted claims through the health plan. She was not sick and got favorable performance appraisals and raises, but she was fired. She filed an ADA claim with the Equal Employment Opportunity Commission (EEOC), and the local district office of the EEOC agreed that there was evidence to believe she was discriminated against on the basis of disability. But the case didn't proceed past this point, so the difficult legal issues raised were not thoroughly hashed out.

Five years ago, Janlori Goldman, now director of the Health Privacy Project, told TRIAL that putting health care information online was just in its infancy. (Privacy on the Internet, TRIAL, June 1997, at 20.) Obviously, that's changed. For example, didn't HIPAA impose some federal regulations on privacy? What are they, and whom do they protect?

In 1996, many in the health care industry told Congress that the system was out of control: Paperwork was too complicated, every insurance company had different requirements and different forms, and processing claims was taking too much time. It was an administrative nightmare. So Congress passed HIPAA to encourage providers of health care and payers, like insurance companies, to communicate electronically using standard formats.

Everyone realized at the time that privacy protections needed to be an integral part of any system designed to encourage and facilitate electronic exchange of health information. HIPAA required the Department of Health and Human Services to promulgate regulations governing these standard formats, but the statute first gave Congress three years to enact comprehensive privacy protections. Congress was unable to pass such a law during that three-year period, a failure that triggered the authority for HHS to promulgate a privacy regulation. In fall 1999, HHS released a proposed medical privacy regulation that was the subject of extensive comment, and in December 2000, it released the final version.

This is the first federal law that actually protects the privacy of medical information in the private sector. There are federal laws that protect privacy in the context of specific federal programs, like Medicaid, but this is the first time that we've had a federal law that actually reaches health care providers and payers in private industry when they provide or pay for care outside of any federal health program.

The law has been in effect since April 2001, but there's a two-year compliance period, so health care plans and health care providers generally have until April 2003 to comply with it.

Could you summarize the law? It seems to cover some entities but leave many uncovered.

As a general matter, the regulation puts limits on how health plans, health care clearinghouses, and certain health care providers use and disclose protected health information. It protects health information in any format, including information transmitted or stored electronically, information recorded on paper and stored in file cabinets, and oral information. It also gives patients new rights with respect to their health information, including the right to see and copy their own records.

As you said, however, there are lots of loopholes. For example, the regulation pretty much covers all health plans, and it defines "health plan" very broadly. But when it comes to providers, it only covers those that transmit certain information electronically. I think that will mean the bulk of providers. But if a doctor's office, for example, is all paper-based and sends insurance claims to the company via snail mail instead of over the computer, then that doctor's office won't be covered.

But more significant than the limits on the providers that are covered is the number of entities that aren't directly reached by the regulation. Employers, drug manufacturers, and pharmacy benefits managers are not reached directly, nor are some research entities. Because the underlying statute was designed to facilitate the exchange of health information between providers and payers, it only reaches certain actors in the health care system.

So how do average consumers determine whether their medical information will be protected by the statute?

That won't always be easy. Your health plan or health insurer will be covered by the law, but when it comes to your providers, the only way to know is to find out whether they engage in the requisite standard electronic transactions and thus are required to comply.

One important provision in the privacy regulation is that a covered entity has to give every patient a notice of its privacy practices. So after April 2003, when you go to see your doctor or go into the hospital, you will get a notice of the privacy practices that the provider must follow to comply with the federal law. That should be a signal that at least the provider thinks it has to comply. Under the original regulation as released in December 2000, that health care provider had to first give you a notice of its privacy practices and then ask for your written consent to use or disclose your health care information for specific purposes.

And that has changed?

On August 9, 2002, the Bush administration finalized its changes to the regulation, significantly weakening it. One major change that we are extremely troubled by is the elimination of that prior consent requirement.

Providers will no longer be required to get a patient's consent before using or disclosing health information for a variety of purposes. Instead, providers will merely be required to supply the notice I discussed earlier and make a good-faith effort to get the patient to acknowledge receiving the notice. Seeking prior consent gives patients the power to decide whether to entrust others with their private medical information, under what circumstances, and for what purposes.

But a patient consent requirement does more than give patients control over their health information. It is the best way to ensure that patients actually know how their health care information will be used or disclosed and know what their privacy rights are. The process of obtaining consent defines an initial moment during which patients can raise questions about privacy concerns and learn more about options available to them. Notice alone does not provide a comparable opportunity for dialogue or understanding.

Another major, and very troublesome, change has to do with the use of information for marketing or for commercial purposes. We think the changes open up the use of health information for marketing in ways that people will find quite offensive. It will legalize a number of the most egregious violations of privacy.

But didn't the Bush administration claim that its changes would make it more difficult to use health information for marketing purposes?

Its changes require that a covered entity get prior authorization before using health information or disclosing it for marketing purposes. But the regulation now defines what is marketing and what is not marketing in a way at odds with the way most people define "marketing."

For example, there's been a fair amount of publicity and some lawsuits and attorney general investigations involving chain drugstores that are paid by drug companies to go through people's medical files in order to send these patients a letter saying, "You're taking treatment X, how about switching to treatment Y?" In our view, that is marketing, particularly since it's been paid for by the drug company. But the Bush administration changes define that practice as not marketing. Any time a covered entity, like a pharmacist, recommends an alternative therapy to you, it is, by definition, not marketing--even when that communication is requested and paid for by a third party like a drug manufacturer.

When we first heard about the proposed changes last March, we thought we'd secured an important victory, but people are actually much worse off now. Not only do the changes define marketing in a very troublesome way, but they also remove some safeguards that were in the regulation.

Take the example of a drug company paying a drugstore to send customers a communication suggesting that they switch drugs. In the Clinton version of the regulation, that letter would have to say it was being paid for by the drug company, and it would have to include information about how you could opt out of future communications. We thought that was not strong enough, that it should have required prior authorization--the drug store should have asked you first whether it could use your health information to send you that type of marketing pitch. But at least there were some safeguards: a disclosure requirement so that people could see the financial conflict of interest, and an opt-out provision. After the changes, these safeguards are gone.

When you go to a health-related Web site, for example, to look at information on diabetes, and there's a notice at the bottom that says, "We protect your privacy," what protection does that give? A Web site is probably not a covered entity, so can it associate you with diabetes information and stick your name on a list that may be shared and sold?

How the HIPAA regulation is going to impact the Internet is complicated. First, you have to figure out whether the entity that you're dealing with is a covered entity under the regulation. Does it have to comply? If it doesn't, there are no federal laws that protect how it uses or to whom it discloses that information.

If the entity has some kind of privacy policy noted on its Web page, it does have to abide by that policy. If not, it risks enforcement action by the Federal Trade Commission (FTC). But if entities don't make specific promises about how they're going to protect your privacy, then they can pretty much do anything they want. Returning to the diabetes information search, chances are that any information you provide about yourself or your family history is not protected by the HIPAA privacy regulation, because the site sponsor is not a covered entity and is not treating you. It is not providing you with health care.

The FTC has cited some Web sites for misusing information shared with third parties, but the agency has also backed away from new legislation, opting to enforce the laws already on the books. What is its role in protecting the privacy of medical records on the Internet?

The laws that exist now allow the FTC to go after a Web site that promises to protect privacy in a particular way and breaches that promise. But it has no authority to go after Web sites that don't make such promises. Based on the work that we've done, many Web site privacy notices are either nonexistent or totally inadequate. At some point, Congress may deal with this, but it's not likely to do so in the near future.

What other remedies are there, and will there be other legislation?

The privacy law is a landmark in federal law, so I don't want to minimize its significance. Where it applies, it will provide more protection than people had previously. For example, people will now have a federal right of access to their medical records, which they did not have before. But the HIPAA privacy regulation is just a first step. It does not, by itself, adequately protect the privacy of health information. I would expect at some point that Congress will have to act on legislation to regulate entities not covered by the HIPAA privacy regulation and to address other shortcomings in the regulation.

What have courts said about the new law?

Two lawsuits have been brought in federal court challenging the constitutionality of the regulation and HHS's authority to promulgate it. One was brought in Texas by the Association of American Physicians & Surgeons, and the other was brought in South Carolina by the South Carolina Medical Association and the Louisiana State Medical Society. This past summer, both federal district courts granted the government's motions to dismiss. At this point, we understand that appeals are being considered.

What about cases brought in state courts? What does state law do to protect privacy?

Before the privacy regulation came around, all we had was state law. And, as always, state law varies tremendously. The Health Privacy Project's Web site contains a compilation of state privacy statutes. It doesn't cover all the laws that impact how the privacy of medical information is protected in each state, but it's a good jumping-off place for research.

There's now a cottage industry that has arisen to interpret the interrelationship of state laws and the federal medical privacy regulation. The federal regulation says state laws that protect privacy better or provide a greater right of access are not preempted by the federal law. So to really people living in a particular state need to look at both federal law and state law.

We have laws at both levels that provide protection for only certain information or only with respect to certain entities. For example, a state statute may prevent the disclosure of health information by doctors but not by hospitals.

If a state law is less protective of privacy than the HIPAA protection, it will be preempted by the federal standard. HIPAA was intended to create a minimum standard that would apply across the board, across the country. Many in the industry want to preempt all state privacy laws so that the only one they have to pay attention to is the federal law. But we think it's important for the states to be able to provide greater protection. And that is the approach taken in the HIPAA statute and in the privacy regulation.

There are civil and criminal penalties built into the regulation, and it sets, for the first time, a duty-of-care provision on how information can be used and shared. Will this provide a basis for tort litigation?

Yes. Plaintiff lawyers will now have an important new tool in their toolbox. One of HIPAA's shortcomings is that it does not explicitly create a direct federal cause of action. But it does set a standard of care, and we expect that there will be claims based on this standard in state courts under state tort theories.
COPYRIGHT 2002 American Association for Justice
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2002, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Joanne Hustead, senior counsel of Georgetown University's Health Privacy Project
Article Type:Interview
Date:Oct 1, 2002
Previous Article:Can the law handle human cloning? Creating a human being through cloning still smacks of science fiction, but developments in biotechnology bring it...
Next Article:So you're stuck with ERISA ... now what? Your client may have no choice but to bring suit under this statute, but that doesn't mean the claim is...

Related Articles
The Nabobs of negativism are wrong.
Medical records online for all to see?
Privacy of Health Information: The New Y2K Challenge.
The Push for Privacy.
Medical Privacy: From the 4th Amendment To HIPAA.
HIPAA Privacy Rules Challenge Long-Term Care Providers. (Computer Quarterly Update).
How to profit by safeguarding privacy: CPAs can help businesses boost customer relations and, at the same time, meet regulatory requirements.
The HIPAA privacy rule and adolescents: legal questions and clinical challenges.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |