[Med-privacy] Privacy Rule

peter marshall pwm@comcast.net
Thu, 20 Nov 2008 13:11:59 -0800 

Reinstate e-health privacy

Dr. William Yasnoff

Most people believe the Privacy Rule of the Health Insurance=20
Portability and Accountability Act protects the privacy of health=20
information. Unfortunately, that is a myth. Just as the P in HIPAA does=20=

not stand for privacy, the HIPAA Privacy Rule actually eliminates=20
privacy protection in a way that prevents violations from being=20
detected, monitored or audited.

Before the HIPAA Privacy Rule was adopted in 2002, a long-established=20
legal principle held that individuals had the right to control all=20
access to their health records. As we make the transition to electronic=20=

health records, we need to reinstate that important legal right.

The basic provisions of the HIPAA Privacy Rule state that health=20
information cannot be disclosed without a patient=92s consent, with =
three=20
exceptions:

     * Treatment (medical care).
     * Payment (processing insurance claims).
     * Operations (business functions of health care, such as monitoring=20=

quality of care).

On the surface, those so-called TPO exceptions =97 named for the first=20=

letter of each =97 seem reasonable. After all, personal medical=20
information should be available for treatment =97 that=92s the primary=20=

purpose of recording it. Information should also be available to=20
process insurance claims. And every health care organization should be=20=

able to perform routine operations, such as monitoring the quality of=20
care provided. So what=92s the problem?

The problem is this: Who decides whether a particular disclosure of=20
personal health information falls under the TPO exceptions and can be=20
done without consent? The answer is: Whoever possesses the information,=20=

whether it is a hospital, health plan, insurer, etc. Furthermore, when=20=

an organization makes a decision to disclose information, it does not=20
have to inform the patient. The patient has no input and no right to=20
appeal or review.

What is even more disturbing is that once a decision is made to=20
disclose personal health information under the TPO exceptions, there is=20=

no requirement to record that disclosure.

So in addition to not being involved in deciding whether a given=20
disclosure qualifies as a TPO exception, patients cannot find out=20
afterward if the organization followed the TPO definitions=20
appropriately.

In foreign policy, former President Reagan was famous for his =93trust,=20=

but verify=94 motto. In stark contrast, the HIPAA Privacy Rule seems to=20=

say: =93Trust, but keep no records that would allow verification.=94=20
Although everyone hopes reasonable and equitable decisions are being=20
made about disclosing health information, there is no way to find out=20
if that is the case.

The intent here is not to accuse any health care organization of=20
disclosing private health information inappropriately. But there are=20
always bad actors, so accountability and monitoring are absolutely=20
necessary. HIPAA provides no accountability. The lack of records of TPO=20=

disclosures means there is no way to know =97 even after the fact =97 if=20=

there have been improper or illegal disclosures.

The HIPAA disclosure forms that patients are asked to sign in doctor=92s=20=

offices, clinics and hospitals are not consent forms, as many believe.=20=

They are notification that patient privacy is not ensured. It does not=20=

matter if they are signed or not =97 the HIPAA provisions apply=20
regardless.

Why is that important? First, patients should be able to control their=20=

health information in the same way they have the right to decide what=20
treatments to receive. Second, inappropriate disclosure of health=20
information can cause harm =97 by damaging one=92s ability to get a job,=20=

for example. Third, electronic records create more risk because they=20
are more easily accessible.

If we are going to convert our mostly paper medical records to=20
electronic form, we must first fix the HIPAA Privacy Rule so that it=20
actually protects our privacy.


Yasnoff is founder and managing partner at NHII Advisors, which helps=20
communities and organizations develop health information=20
infrastructures. He was previously senior adviser for the Health and=20
Human Services Department=92s National Health Information =
Infrastructure.=20
=09


=A9 1996-2008 1105 Media, Inc.=