HOME

ABOUT US

OUR ISSUES

Federal Budget

Information & Access

Nonprofit Advocacy

Regulatory Policy


PRESS ROOM

ACTION CENTER

PUBLICATIONS

THE WATCHER

OUR BLOGS


SIGN UP

Receive news, updates, and alerts!

DONATE

Help support our work


OTHER SITES

FedSpending.org

RTK NET

NPAction

Working Group on Community Right-to-Know

Citizens for Sensible Safeguards

Open the Government

OMB Watch Logo
Executive Report:   


Published: 01/15/2003

Printable Version
Email to a Friend




HHS to Revisit Medical Privacy Protections

Based on recommendations submitted by the American Osteopathic Association, among others, the White House Office of Management and Budget is instructing Health and Human Services (HHS) to revisit rules protecting the privacy of personal medical records, whose major parts -- affecting big health plans and insurance companies -- were once due to become effective April 2003. The rules limit who can see/use your personal health records without your consent, whether you will be asked for permission, and whether you can even learn who has seen what.

Congress and the public have been growing increasingly concerned about widespread computerized "leakage" of personal health records, which contain perhaps the most intimate and intensely personal data about you. For example: "A banker who also sat on a county health board gained access to patient's records and identified several people with cancer and called in their mortgages... [and] Consumer Reports found that 40% of insurers disclose personal health information to lenders, employers, or marketers without customer permission" (Federal Register, Dec 28, 2000, p. 82468). To protect the privacy of personal health information -- so that people will still be willing to provide intimate data to their doctors -- Congress passed the Health Information Portability and Accountability Act in August 1996 and set a year 2000 deadline for implementing regulations.

The law has still not been implemented. The federal Department of Health and Human Services (HHS) published proposed rules in November 1999, and final rules in December 2000, forbidding disclosure of personal health information without obtaining that person's advance written consent, and giving big health plans and insurance companies until April 2003 to comply. HHS has since been deluged with objections from health plans, insurance companies, drug manufacturers, health product marketers, and hundreds of other segments of the health industry: 52,000 comments in 1999, another 11,000 in 2002.

Revised rules were issued in August 2002 by President Bush's HHS Secretary Tommy Thompson. The Bush rules reverse people's privacy rights: Instead of health providers and insurance companies telling you about who is seeking what data from your records and asking your consent to disclose it, companies need only distribute general notices of their disclosure practices and make "good faith efforts" to obtain people's signatures that they received the notice. Your consent would not be needed for companies to disclose your personal health information for "treatment, payment, or health care operations," nor to their "business associates," and no protection covers information once disclosed to others. People will only learn of disclosures up to six years later, if they ask for it. HHS also extended the deadline for compliance to April 2004 -- longer for big health plans.

In the meantime, only citizens in certain states that have passed their own privacy laws would be protected. Such state laws are typically not comprehensive, however, and are hard to enforce on national health companies.

Instead of reversing the original rules, HHS could have continued making specialized exceptions needed to handle practical problems of obtaining consent: ambulance drivers getting information from hospitals on unconscious patients, letting people pick up prescriptions for shut-ins, etc. For marketers, the Bush rules do make a giant exception: personal health information would be available to marketing companies promoting "alternative treatments, therapies, health care providers, or settings of care to that individual." Under the exception, it is hard to imagine any "business associate" marketer who would be denied access to your personal medical records.

Yet even this vestigial protection of health information privacy is being questioned. Because of the long lead time needed to get the nation's doctors, pharmacists, employers, health plans, and insurance companies into compliance, holding up the rules now would cause additional years of delay. It remains to be seen whether people will trust the HHS system enough to provide solid intimate health data about themselves, or whether the quality of health records -- and therefore people's health itself -- will suffer.