What's at stake in the HHS privacy regs?

Posted: Feb 28, 2001 12:00 AM
In earlier, simpler times, medical privacy was no problem. Your doctor recorded the date of your visit and his diagnosis and prescriptions in his inimitable illegible handwriting and put it safely in a manila folder where only he or his nurse would ever see it and nobody else could possibly read it. The wonderful technology of computers has transformed everything. All that information and much, much more is now entered on a computer database, where it can be easily accessed, read, edited, transferred or sold by authorized or unauthorized persons. Who owns all that information? Who has the right to read it, use it, sell it? Have we lost our privacy and even our identity to technology? This medical information is powerful in the hands of government and the bureaucrats who seek to monitor and even control the medical treatment of individual citizens. It is commercially valuable to employers, to the companies that write your health insurance, and to health care providers and pharmaceuticals that want to target their marketing more efficiently. It is a prize asset sought by anonymous gurus called researchers and by giant private foundations that believe they have superior wisdom to direct all health care spending. They still yearn for two of the original goals of Clinton's 1994 health care bill: giving government control of "global (i.e., both public and private) budgeting," and assigning every American a unique health-care identifier. When Congress failed to pass health care privacy regulations in 1999, the authority to write them defaulted to HHS Secretary Donna Shalala. The new federal medical privacy regulations, issued Dec. 20, 2000, display the usual Clintonian doublespeak. Hailed as a pillar of patient protection, the lengthy compendium of patients' rights appears to grant mostly "virtual rights" that elude us. The regs permit doctors, hospitals, other health services and some business associates to use our personal health records for their marketing and fund raising. The regs start with principles of notice, access, consent and correction. But, these categories are filled with exceptions, often in complicated and confusing language, and records can be accessed without the patient's consent for a variety of reasons. The patient's records can be disclosed without his consent for all the following purposes: public health, research, law enforcement, oversight of health care, judicial and administrative proceedings, treatment, payment or health care operations. Records can be made available to business associates on a contractual basis. Government access is greatly broadened. The HHS secretary and any HHS employee to whom he delegates authority, for reasons of "compliance," are given open access to information, including protected health information. Health plans can condition enrollment in a plan or eligibility for benefits on the patient's consent or authorization for disclosure. If the patient asks for a restriction on the disclosure, the covered entity is not required to agree to the restriction. In the original draft of the medical privacy regulations, direct marketers' access to patient records was limited. But, heavy lobbying by the corporations paid off and they now have access for marketing purposes. Patients can opt out of the marketing provision only after being contacted at least once. The burden is on the patient to contact each marketer that sends information. Pharmacies are permitted to share patients' prescription records with "business associates" for the purpose of marketing "health-related products and services of the covered entity or of a third party (Sec. 164.514)." The purpose is for pharmacies to send letters to patients reminding them to take their medicine, but they can also send "educational materials" from drug manufacturers (ads for new drugs). Limited protected health information can be given to "a business associate or to an institutionally related foundation ... for the purpose of raising funds for its own benefit." Patients have the right to inspect, copy, amend and receive an accounting of disclosures. However, the accounting will not include activities related to treatment, payment, health care operations, national security, intelligence, correctional institutions or disclosures prior to the compliance date. The right to an accounting of disclosures can be suspended if a law enforcement or health oversight agency gives a written statement that the disclosure would "likely impede the agency's activities." In one of President Bush's first official acts, he issued a memo to all departments calling for a review of most of Clinton's end-of-term regulations. While the administration made no specific comment about the medical privacy regulations, during his campaign, Bush said, "I believe ... every American should have absolute control over his or her information." The Bush administration has the authority to improve the regs. They state that the HHS secretary can modify the medical privacy regs at "any time during the first year after the standard or implementation specification is initially adopted."