If the Bush administration has its way, beginning in April 2003 individuals’ personal health information–including genetic information–will be shared with data-processing companies, insurance companies, doctors, hospitals, researchers, and others without their consent. This is a major shift from today’s standard whereby patients give their consent before their medical records are shared with third parties. The administration proposes to eliminate the current standard in order to make processing medical claims more efficient. If the changes are adopted, every American will have effectively lost any ability to maintain a confidential doctor-patient relationship.
How did the federal medical privacy rule come about? Who was behind it? What can Americans do to protect their medical privacy?
Until now, health privacy was considered a matter regulated by the states. Every state has a law to protect citizens’ medical records. However, abiding by 50 different state privacy laws has proved difficult for the industries that want to create a national health-information system. National leaders of the medical, hospital, health-insurance, and other industries have been working for over a decade to nationalize standards for electronic claims processing. In 1991 the Workgroup for Electronic Data Interchange (WEDI) was established to lobby Congress for legislation to enable electronic medical records and payment systems.
WEDI was instrumental in getting many of its goals incorporated into the infamous Clinton health-care plan. President Clinton’s 1993 Health Security Plan included a provision titled “Administrative Simplification.” It called for establishing a national health-information infrastructure, requiring unique identifiers to be assigned to four groups for processing medical claims electronically: every (1) health-care provider, (2) health plan, (3) employer, and (4) individual. The Administrative Simplification plan also called for creating uniform national codes for medical claims and for establishing federal medical privacy rules. The bottom line is that you can’t create a national health-care system without standardized information.
Congress and the American people vehemently rejected the Clinton plan to nationalize health care. However, the Administrative Simplification provision was tucked away in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was signed into law on August 21, 1996 (Public Law 104-191). Many remember HIPAA as the legislation that was supposed to make health insurance portable and affordable. (It never met those purported goals.) Under HIPAA, the same four groups mentioned above would be required to have unique identifiers for processing claims electronically. Thanks to the diligent work of U.S. Representative Ron Paul, federal funding for a health-identifier system has been put on hold over the past few years. But unless that provision of the HIPAA statute is repealed, all Americans may soon be assigned a number for tracking their medical information from cradle to grave.
Aware that the American people were concerned about medical privacy, legislators included a provision in HIPAA requiring that a medical-privacy law be passed by August 21, 1999, or the secretary of Health and Human Services (HHS) would have to generate such a rule. HIPAA also included a provision that gave WEDI (and other groups) legislative authority to advise HHS on the forthcoming national health-information system and medical privacy. Congress missed its self-imposed deadline, and the authority to establish federal regulations for medical privacy shifted to the Clinton administration.
Clinton Administration Rule
In November 1999 the Clinton administration proposed federal regulations relating to medical privacy. They would have prohibited doctors, hospitals, and others from obtaining patients’ consent before releasing their medical information. However, the public spoke out against the rule. HHS received more than 52,000 comments during the public comment period. The issue most discussed was patient control of personal health information.
A final federal medical privacy rule was published in December 2000, just before President Clinton’s departure. It prohibited release without consent of information for treatment, payment, or “health care operations”–a broad term encompassing many activities. However, many other third parties did not need patients’ consent before obtaining their medical records. These included law-enforcement officials, researchers, public-health officials, and many more.
The medical and insurance industries were strongly opposed to the consent provision as it appeared in the final rule. They lobbied the incoming administration strongly to eliminate it. Not surprisingly, in March 2002 the Bush administration proposed to modify the rule so that health-care insurers, providers, institutions, and others could transfer medical information electronically to pay claims, treat patients, and do other tasks–without patients’ consent. Instead, the Bush administration called for providers simply to notify patients about how their information is being shared. It will complete the revisions in the coming months.
In essence, the federal government is giving the medical industry regulatory authority to decide whether personal health information can be obtained by others without patients’ permission. What’s more, WEDI and other medical-industry groups strongly support pre-empting state laws regarding medical privacy. Given their strong lobbying success, it is likely that in the near future state laws will be replaced by the federal medical-privacy rule. This will be a large leap toward national health care.
The privacy rule is one of the greatest infringements on liberty that this country has ever experienced. It applies to all citizens, whether they rely on government assistance or pay privately for their health care. As written and soon to be enforced, the rule requires doctors, therapists, and other providers to share patients’ health-related information–including psychotherapy notes–with the secretary of HHS. The government’s rationale is that federal agents need to invade your privacy to protect it.
The only way that citizens will be able to maintain their medical privacy in coming years is to have private contracts with doctors and other health-care providers. It is not clear whether the current version of the privacy rule will interfere with an individual’s right to make contracts. But what is clear is that every American is losing the freedom to maintain a confidential doctor-patient relationship.