[Med-privacy] Privacy Rule

Bob Gellman bob@bobgellman.com
Thu, 20 Nov 2008 19:26:16 -0500 

peter marshall wrote:
> Reinstate e-health privacy
>
> Dr. William Yasnoff
>
> Most people believe the Privacy Rule of the Health Insurance 
> Portability and Accountability Act protects the privacy of health 
> information. Unfortunately, that is a myth. Just as the P in HIPAA 
> does not stand for privacy, the HIPAA Privacy Rule actually eliminates 
> privacy protection in a way that prevents violations from being 
> detected, monitored or audited.
>
> Before the HIPAA Privacy Rule was adopted in 2002, a long-established 
> legal principle held that individuals had the right to control all 
> access to their health records. As we make the transition to 
> electronic health records, we need to reinstate that important legal 
> right.
>
> The basic provisions of the HIPAA Privacy Rule state that health 
> information cannot be disclosed without a patient’s consent, with 
> three exceptions:
>
>     * Treatment (medical care).
>     * Payment (processing insurance claims).
>     * Operations (business functions of health care, such as 
> monitoring quality of care).
>
<snip>

What's really interesting about Yasnoff's article is his fundamental 
lack of understanding of HIPAA.  This last statement isn't true.  There 
are plenty of other exceptions that allow disclosure without consent.  
Including disclosure for health care oversight, for public health, to 
the cops, to the CIA(!), to researchers, to the courts, and to others. 
Many of these disclosure exceptions are quite expansive.  For the most 
part, TPO disclosures remain subject to HIPAA.  Most of the other 
disclosures result in information that is no longer subject to the HIPAA 
privacy rule.

I don't necessarily disagree with other points in the Yasnoff article.  
But neither HIPAA nor the health care system is so simple that the 
privacy problems can be solved with a simple fix.  Like it or not, we 
have a health care system that functions with the use of identifiable 
patient information for numerous purposes related directly to health 
care and for numerous purposes less related.  That's the current 
reality, and any changes to privacy rules have to confront that reality.

And by the way, there was no general legal principle before HIPAA that 
allowed patients to control all access to their records.  That's a 
myth.  Rights varied with state law, and many of the HIPAA disclosures 
were routine before HIPAA without patient consent.  Patient consent 
usually consisted of an authorization by the patient for the disclosure 
of "any or all" of the patient's health record for any purpose 
whatsoever.  Informed consent was rarely informed and not consensual 
either, since failure to sign the "consent" form meant that you would be 
refused treatment or required to pay for it up front.

Bob

-- 
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman       <bob@bobgellman.com> +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE                       +
+ Washington, DC 20003                      +
+ 202-543-7923           www.bobgellman.com +
+ + + + + + + + + + + + + + + + + + + + + + +