Medical privacy questions abound.

Published in The Orlando Sentinel on February 6, 2000

Michael Freeny, an Orlando psychotherapist, educator, and author of the medical thriller, Terminal Consent, wrote this article for the Sentinel.

There are some interesting questions buzzing throughout Washington regarding the privacy of your medical records.

For example:

-Should the police be able to snoop through your private medical records without your knowledge, consent or eve a search warrant?

-Should insurance companies have expanded powers to use, transmit, share or profit from your medical records as long as the data is used for treatment, payment or "health-care operations"?

-Should your employer have access to your medical records to monitor employee-subsidized health care?

-Should the federal government give itself the right to obtain your medical records without your consent or knowledge?

These and other important questions are provisionally answered by the Department of Health and Human Services draft regulation that propose revolutionary rules to govern use of electronic medical records.

The need for such rules is long overdue. Medical information is now routinely stored, transmitted, and retrieved by computers. The traditional paper chart is fading into history as databases of symptoms, treatments, payments, procedures and authorizations create the "virtual chart".

Unlike an unwieldy paper chart, which can only be at one place at a time, the Electronic Patient Record can be everywhere, viewed simultaneously by providers and insurers in different states.

Today there is simply no way to deliver efficient, precise and timely medical care without computers.

However, the convenience of instant access to a patient's medical data must be balanced against the traditional right to privacy, consent and protection.

Your trust in the confidentiality in a health-care setting may dramatically affect your willingness to tell the truth about sensitive subjects, such as substance abuse, sexual diseases, depression, or marital problems.

Historically, such information was held in private confidence between doctor, patient and medical chart. Today, sensitive information and even clinical photographs are routinely shared with many health-care players, increasingly via the Internet.

In the past, medical-records privacy has been a matter of state regulation. However, there is currently little consistency from one state to another. With so many national health-maintenance organization managing patient care, the need for nation standards has become urgent.

Richard Coorsh, vice president of the Health Insurance Association of America, said that his group supports the federal attempt to preempt state privacy laws.

"This will help us in the efficient delivery of care and allows physicians and payors to communicate freely," Coorsh said.

Congress actually granted itself the power to develop such rules in 1996, then missed its own August 1999 deadline to develop them.

The task then fell to Health and Human Services, which posted the drafty privacy rules in November 1999 and will accept public comment on them through Feb. 17 before issuing final rules.

The proposed rules stray from a number of strong standards in medical privacy. Laws have long required patient to sign a "consent to release" information form., even for such routine tasks as allowing a physician to bill an insurer or to communicate with other health-care providers.

The proposed Health and Human Services rules do away with this requirement. the use of identifiable health information requires no patient consent or notice if it is "compatible with or directly related to treatment, payment, or health care operations."

This is like a "don't ask, don't tell" policy, allowing a hospital physician to look at the records of other patients with similar illnesses or even other family members without asking or telling anyone. Similarly, insurers, regulators, case managers, claims managers, data processors, and a host of others in the system will also have equal access. The patient has no right to demand an accounting of all medical record disclosures. The regulations also allow for law-enforcement agencies to issue administrative orders for medical information without going through the courts and without seeking the patient's consent.

As part of an investigation, the police could peek into your medical symptoms and treatments in search of criminal evidence to determine what medical evidence would correlate with drug use, child abuse, domestic violence, or sexual diseases. Banking and payment processors will enjoy similar rights to examine your medical data without informing you, as long as it's "the minimum amount of protected health information necessary to complete a banking or payment activity." That likely would include medical information about the who, what, when, where, and how for your medical care.

HHS spokeswoman Lorrie McHugh says that their proposed regulations "try to address the issue of consent by strengthening the information consumers must get about how their information is used and disclosed."

But Paul Appelbaum, MD, vice president of the American Psychiatric Association, said of the proposed regulations, "The approach is that the confidentiality of medial records can be set aside for any reason at all."

Doesn't the patient have a right to restrict access to their own medical data?

Unfortunately, no, the regulations do allow the individual "to request" that uses or disclosure be restricted. However, the regulations state that the provider, "is not required to agree to the requested restriction." So it's their call, not yours. Also, an individual may not ever request restrictions of disclosure to a variety of government agencies. 

What if you suffer personal damage from an inappropriate disclosure of medical information?

The regulations establish civil and criminal penalties for violations, but can only be enforced if an entity "knowingly" violated the privacy standards.

It would be up to the consumer to first discover the violation and then request HHS to prove that the use of a person's health care data was not related to "health care operations", a nearly insurmountable burden of proof for HHS, according to James Pyles, Washington, D.C. legal counsel for the American Psychoanalytic Association.

The patient has no right to sue for punitive damages under these rules. These regulations are about government standards, and violations and fines would go to HHS. The patient would need to purse litigation at his own expense.

Because the regulations are to be managed by HHS, the agency has granted itself broad powers to investigate and even confiscate records if they believe entities are out of compliance.

Think about this: When the Nixon White House burglars wanted to get Daniel Ellsberg's psychiatric records, they had to actually go tot eh doctor's office to steal them. Under the draft regulations, HHS could simply "suspect" that the good doctor was our of compliance and get copies of all his records to investigate. Of course, under the law-enforcement provisions, the FBI also could request the records as evidence. 

The regulations strip away most of the accepted check and balances of informed consent and patient notification . There is no right or presumption of privacy, a staggering change in patient's rights that consumers and health-care professionals should examine closely. HHS may need to know that a major part of our privacy serve to protect against government intrusion. The federal government learned  this recently when OSHA tried to extend its workplace standards to home office workers - giving itself and employers rights to inspection and enforcement in your own home.

Fortunately, public outrage squashed those rules within 24 hours.