U.S. rule raises patient fears about privacy
By Janie Magruder
The Arizona Republic
Nov. 25, 2002
Without patients' consent, medical records could be shared with a variety of health-care entities, under a federal regulation that's slated to become effective next spring.
Amendments to the Health Insurance Portability and Accountability Act of 1996 are intended to streamline medical care while protecting medical records and other personal health information maintained by physicians, hospitals, insurance companies and others, said Bill Pierce, a spokesman for the Department of Health and Human Services.
Currently, "To get treatment, you specifically have to sign a consent form before you can see the doctor, and you have to sign a consent form to send those medical records anywhere," Pierce said. "It prevents you from having access to treatment because, if you don't sign it, you don't get it."
The privacy rule, which takes effect April 14, 2003, makes optional consent for "routine health-care delivery purposes (known as treatment, payment and health-care operations)." It requires doctors' offices and others to notify patients of their privacy rights and of their methods of keeping information private, and to make a "good faith effort" to obtain patients' written acknowledgement.
But Sue Blevins, president of the Washington, D.C.-based Institute for Health Freedom, said the Department of Health and Human Services is misleading the public about the rule, which she claims is too broad and doesn't clearly define "medical privacy" and other terms.
"While claiming to be committed to 'maintaining protections for the privacy of individually identifiable health information,' HHS' privacy rule does not prevent the government or the medical industry from compiling and sharing individuals' personal health information, including genetic information, without individuals' permission," Blevins said.
Pierce said the rule makes it illegal for health-care professionals to sell patient records or to share them with employers or life insurance companies. Misuse of personal health information is punishable by fines and jail time, including civil penalties of $100 to $25,000 and criminal penalties of $50,000 to $250,000, plus one to 10 years in prison.
The federal rule does not supersede state laws dealing with the confidentiality of medical records, unless those state laws are less stringent, he said.
"If Arizona has a state law that requires consent, that state law would prevail," Pierce said. "This was written as a floor, not a ceiling."
Angela Fischer, Arizona's HIPAA coordinator, said Arizonans' health information will be protected.
"The inception of HIPAA will offer individuals no less privacy or rights than were in place prior to HIPAA," she said.
But Jim Pyles, an attorney for the American Psychoanalytic Association, isn't so sure. He called the rule "shocking."
"I can't find a single case where privacy rights have been so broadly extinguished by the federal government," Pyles said. "It's amazing in its breadth and number of people they allow information to be disclosed to . . . including insurance companies, clearinghouses that process claims and business associates, such as consultants, lawyers, accountants and others."
Pyles said half of the states, including Arizona, have statutes that require patients to give their consent before medical records are released. He's not convinced state laws will take precedence, saying the law is up to interpretation.
Dr. Don Boles, a Sun Lakes physician and director of a drug and alcohol center in Chandler, says the rule won't affect the way his office treats patient confidentiality.
"We're going to go ahead and do consent forms the way we always have," Boles said. "We'd always be smart to have patient consent."
Reach the reporter at (602) 444-8998.