[Med-privacy] The Dark Side of HIPAA: Selling Out Medical Privacy to Save a Buck

[DPeelMD@aol.com]

>From today's iHealthBeat:

The Dark Side of HIPAA: Selling Out Medical Privacy to Save a Buck

November 13, 2003

The San Francisco Chronicle recently published a story about a woman in 
Pakistan who threatened to expose U.S. medical records if she was not paid for 
transcription. 

The Pakistani transcriptionist found a way to increase her minimum wage. She 
demanded to be paid, or else she would expose Californians' medical records. 
As proof she meant business, she sent copies of their records to the 
(http://www.ucsfhealth.org/) University of California-San Francisco Medical Center. 

Patients no longer have to worry about neighbors finding out about sensitive 
medical conditions, but instead must now fear their every secret will be 
exposed for the world to see. Medical privacy is over.

How did it happen? 

The original HIPAA privacy rule noted,

 "the right of privacy is: 'the claim of individuals, groups, or institutions 
to determine for themselves when, how, and to what extent information about 
them is communicated'." 65 Fed. Reg. at 82,465

But the amended rule revoked that right:

 "The consent provisions (in the Original Rule) are replaced with a new       
   provision that provides regulatory permission for covered entities to use 
and disclose protected health information for treatment, payment, and health 
care operations."    67 Fed. Reg. at 53,211
 
Under the amended rule, medical records can be used and disclosed for 
"routine" purposes by more than 600,000 "covered entities" without patient consent or 
notice, even if patients refuse. Physicians, hospitals, health plans, 
pharmacy benefits managers, etc, can freely transmit electronic medical records to 
innumerable business associates. 

The ancient ethical and constitutional right of patients to medical privacy 
was eliminated. Instead, corporations and federal agencies have the ultimate 
right to control every citizen's cradle-to-grave medical records. 

The privacy rule is now a "disclosure" rule. So, patient records can end up 
on computers in Pakistan.

Unlimited, routine disclosures of EMRs pose a severe threat to the privacy of 
every American family. Transcription is just one example of a routine use or 
disclosure. But few of us would consider transcription in other countries 
"routine."  

"Routine" purposes sound safe and innocuous, but actually cover virtually 
every conceivable use of medical records. 

Database redundancy, ease of transmission and the impossibility of ever 
deleting all records puts Americans at risk for extortion, identity theft, public 
shame and humiliation, job loss, insurance loss, credit loss, and financial 
ruin. Diagnoses, prescriptions, genetic tests, and other data can be used to 
discriminate against us and harm our families.  Even abortion and mental health 
records can now be accessed retroactively. Whether you paid out-of-pocket for 
treatment, or were guaranteed privacy, or never get treatment the rest of your 
life, your EMRs can still be freely used and disclosed. 

The original HIPAA rule found:

    "In a matter of seconds, a person's most profoundly private information 
can be shared with hundreds, thousands, even millions of individuals and 
organizations at a time.....Moreover, electronic health data is becoming 
increasingly "national"; as more information becomes available in electronic from, it can 
have value far beyond the immediate community where the patient resides." 65 
FR 82,465-66.

Yet the amended rule requires the use of EMRs by covered entities. Any 
data-handler in the endless food chain of health care subcontractors can do to any 
of us exactly what the Pakistani woman did or worse.  

The updated HIPAA rule also eliminated recourse for privacy breaches. Audit 
trails are not required, so we will never know who violates our privacy or how 
often. The incident at UCSF was only discovered because of an extortion 
threat. 

Lack of data security standards further subjects us to exposure and harm. 
Transmitting medical records without security measures or penalties for privacy 
violations puts the cart before the horse. Businesses don't even have to 
protect our data until 2005. And no legal remedies exist, save begging HHS to 
investigate. Should HHS ever issue effective security standards and penalties, it 
will be far too late for those whose medical records were disclosed to the 
world.   

Better Privacy Safeguards Needed

The consequences of the loss of consent have yet to be understood by most 
physicians, the public, the media, or arguably even the promulgators of this 
impending disaster.

It is now national policy that every individual's health information can be 
used and disclosed without his or her consent and against his or her will for 
routine purposes. Unless this broad principle is changed, medical privacy is 
dead.

The first priority of our health care system must be to serve the interests 
of patients, not the health care, insurance, IT, hospital and pharmaceutical 
industries.

The only remedies are legislation or litigation. U.S. Representatives Edward 
Markey (D-Mass.) and Dana Rohrabacher (R-Calif.) are sponsoring a bi-partisan 
bill to save consent, but Congress won't act. In federal court, Citizens for 
Health et al. vs. Tommy G. Thompson seeks to restore every American's right of 
consent. This lawsuit will stop the hemorrhage of personal health data into 
cyberspace by giving us back the right to deny consent for routine uses of our 
medical records.

While strangers profit from the use and disclosure of our most personal 
health information, the government is telling us that the amended rule provides 
strong new safeguards for medical privacy. 

Despite their claims, the health care industries, insurance industry, and the 
government do not have patients' best interests or privacy at heart. The Bush 
Administration is promoting globalization of the nation's medical records for 
corporate profits, at the expense of citizens' constitutional rights.

We must restore the right to privacy, which is essential for effective 
medical treatment. 

About the author:

Deborah C. Peel, MD, is a psychoanalyst in private practice in Austin, Texas. 
She is president of the (http://www.patientprivacy.info/) Appeal for Patient 
Privacy and testified before Congress last year on genetic privacy. The Appeal 
for Patient Privacy is empowering Americans to protect and preserve their 
human rights to medical privacy through education and support for litigation to 
save privacy rights, like the Citizens for Health v. Tommy G. Thompson lawsuit.

The views expressed in this column are those of the author and do not 
represent the views of the California HealthCare Foundation or the Advisory Board 
Company.

If you are a subscriber to iHealthBeat, please follow the link below to view 
this article.
http://ihealthbeat.org/members/basecontent.asp?contentid=25980

-----------------------
iHealthBeat is a free daily news service of the California HealthCare 
Foundation. For information about subscribing, please visit http://www.ihealthbeat.org