December 15, 2001

FEDERAL RULES PLACING MEDICAL PRIVACY AT RISK

If you think it's no big deal to have your medical records disclosed to others without your knowledge or consent, you have no reason to worry about federal privacy policies.

But if -- like most Americans -- you think that would be outrageous, you probably need to know that federal regulations adopted as part of the Health Insurance Portability and Accountability Act have greatly diminished your rights to medical privacy.

Sue Blevins, founder and president of the Institute for Health Freedom, examined the privacy rules published in the Federal Register in December 2000, and what she found should worry just about everyone (there's a summary, by Blevins and co-author Robin Kaigh, at forhealthfreedom.org on the Web).

The Department of Health and Human Services drafted the privacy rules, so it's no surprise that the rules allow the agency itself to get your medical records from your doctor or any other health-care provider without your consent -- even the case notes from your psychotherapy sessions.

Who else? You theoretically have the right to keep your records private, but there are exceptions for any of the following purposes:

* Oversight of the health care system;

* Monitoring by the Food and Drug Administration;

* Public health surveillance and activities;

* Foreign governments collaborating with U.S. public health officials;

* Research if the institution's review board waives consent by participants in a study;

* Law enforcement activities;

* Judicial and administrative proceedings;

* Licensure and disciplinary actions.

With so many broad exceptions, the right doesn't amount to much. And the exceptions are even broader than they seem, because once information is disclosed to a third party not covered by the rules, it ceases to be protected.

But at least you can find out who's been finding out about you, right? Wrong. If the records were disclosed for reasons related to health care, including treatment, payment or ``health care operations'' (which could be almost anything), you aren't entitled to know about it.

And you have the right to complain to the secretary of HHS if you think the rules were broken, but the secretary doesn't have to act on the complaint and even if the complaint is eventually upheld, you don't get any compensation and you're not permitted to sue.

That's the way things are now, but they're about to get worse. Another part of the act, currently on hold, will require every participant in health care -- the patient, the health-care provider, the employer and the insurance plan -- to have a unique identification number. That will facilitate construction of a huge database in which every interaction will be traceable. And, e-mail being what it is, readily shared as well.

Another organization, the Pew Internet and American Life Project (at pewinternet.org) has looked specifically at the implications of the privacy rules for people using the Web.

The Health Privacy Project's report warns that the privacy rules apply only to Web sites operated by organizations that are already subject to the rules. ``Activities like filling a prescription, receiving e-mail alerts or getting a second opinion'' may be covered at one site and not at another. Also, some activities on a Web site may be protected, while others are not.

If a patient refuses to sign a consent form allowing use of medical information in those nebulous ``health care operations,'' the health-care provider may refuse to offer services. And if the patient does sign the form, the provider can also use the information for online marketing messages. A Web provider who isn't covered by the privacy rules can even compile such a list and sell it to third parties, ``subject only to the restrictions of its own privacy policy,'' the report says.

HHS announced its rules with great fanfare, presenting them as an enhancement of medical privacy. The fine print reveals a very different reality.

(642 words)