Feb. 28, 2001
In earlier, simpler times, medical privacy was no problem. Your
doctor recorded the date of your visit and his diagnosis and
prescriptions in his inimitable illegible handwriting and put it safely
in a manila folder where only he or his nurse would ever see it and
nobody else could possibly read it.
The wonderful technology of computers has transformed everything.
All that information and much, much more is now entered on a computer
database, where it can be easily accessed, read, edited, transferred,
or sold by authorized or unauthorized persons.
Who owns all that information? Who has the right to read it, use
it, sell it? Have we lost our privacy and even our identity to
This medical information is powerful in the hands of government
and the bureaucrats who seek to monitor and even control the medical
treatment of individual citizens. It is commercially valuable to
employers, to the companies that write your health insurance, and to
healthcare providers and pharmaceuticals that want to target their
marketing more efficiently.
It is a prize asset sought by anonymous gurus called researchers
and by giant private foundations that believe they have superior wisdom
to direct all health care spending. They still yearn for two of the
original goals of Clinton's 1994 Health Care bill: giving government
control of "global (i.e., both public and private) budgeting," and
assigning every American a unique health care identifier.
When Congress failed to pass health care privacy regulations in
1999, the authority to write them defaulted to HHS Secretary Donna
Shalala. The new federal medical privacy regulations, issued December
20, display the usual Clintonian doublespeak.
Hailed as a pillar of patient protection, the lengthy compendium
of patients' rights appears to grant mostly "virtual rights" that elude
us. The regs permit doctors, hospitals, other health services and some
business associates to use our personal health records for their
marketing and fundraising.
The regs start with principles of notice, access, consent, and
correction. But these categories are filled with exceptions, often in
complicated and confusing language, and records can be accessed without
the patient's consent for a variety of reasons.
The patient's records can be disclosed without his consent for all
the following purposes: public health, research, law enforcement,
oversight of health care, judicial and administrative proceedings,
treatment, payment, or health care operations. Records can be made
available to business associates on a contractual basis.
Government access is greatly broadened. The HHS Secretary and any
HHS employee to whom he delegates authority, for reasons of
"compliance," are given open access to information, including protected
Health plans can condition enrollment in a plan or eligibility for
benefits on the patient's consent or authorization for disclosure. If
the patient asks for a restriction on the disclosure, the covered
entity is not required to agree to the restriction.
In the original draft of the medical privacy regulations, direct
marketers' access to patient records was limited. But heavy lobbying
by the corporations paid off and they now have access for marketing
Patients can opt out of the marketing provision only after being
contacted at least once. The burden is on the patient to contact each
marketer that sends information.
Pharmacies are permitted to share patients' prescription records
with "business associates" for the purpose of marketing "health-related
products and services of the covered entity or of a third party."
(Sec. 164.514) The purpose is for pharmacies to send letters to
patients reminding them to take their medicine, but they can also send
"educational materials" from drug manufacturers (ads for new drugs).
Limited protected health information can be given to "a business
associate or to an institutionally related foundation . . . for the
purpose of raising funds for its own benefit."
Patients have the right to inspect, copy, amend, and receive an
accounting of disclosures. However, the accounting will not include
activities related to treatment, payment, health care operations,
national security, intelligence, correctional institutions, or
disclosures prior to the compliance date.
The right to an accounting of disclosures can be suspended if a
law enforcement or health oversight agency gives a written statement
that the disclosure would "likely impede the agency's activities."
In one of President Bush's first official acts, he issued a memo
to all departments calling for a review of most of Clinton's end-of-
term regulations. While the Administration made no specific comment
about the medical privacy regulations, during his campaign, Bush said,
"I believe . . . every American should have absolute control over his
or her information."
The Bush Administration has the authority to improve the regs.
They state that the HHS Secretary can modify the medical privacy regs
at "any time during the first year after the standard or implementation
specification is initially adopted."