Patient Privacy Protections Pending
April 27, 2000 (Washington) -- Individuals will enjoy at least some measure of national protection of health information by as early as August. A proposal by the Department of Health and Human Services (HHS) that would set national standards for the release of personal health information cleared perhaps the greatest and final obstacle in its path Wednesday when the General Accounting Office (GAO), the government's nonpartisan investigative arm, declared the proposed rules legal and valid.
HHS stepped forward with its proposal in November as a stopgap measure to protect the confidentiality of medical records after Congress missed a deadline to pass a patient privacy law.
The proposed rules would give Americans the right to examine and correct their own medical records, and would prevent the transfer of health care information without prior patient authorization for any reason other than treatment, payment, or "health care operations."
HHS's authority to issue health information privacy regulations lies in the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996. The act, which essentially ensures that individuals can move from one health plan to another without the fear of being excluded due to a preexisting condition, included a provision allowing HHS to create health privacy standards if Congress failed to pass legislation by August 1999.
"In brief, the regulatory strategies HHS adopted in the proposed rule seem consistent with HIPAA's purpose of protecting the privacy of health information and are legally permissible," testified Janet Heinrich, associate director of the GAO, before a Senate committee convened to determine the rules' legal legitimacy.
But despite having passed the test of legitimacy, the value of the proposed rules still remains largely a matter of opinion.
On one hand, health plans, hospitals, and drug companies argue that the rules could actually have a chilling effect on the quality of health care.
"If caregivers are not able to obtain and share patients' medical histories, lab results, physician observations, and other information, patients will not receive the most appropriate, timely, high-quality care possible," testified John Houston, assistant counsel for UPMC Health System, speaking on behalf of the American Hospital Association.
On the other hand, consumer advocacy groups and other experts say the rules are too limited.
"By virtue of the limited authority delegated by Congress, the rules have limited applicability and cover only health plans, health clearinghouses, and health care providers who transmit health information in electronic form," pointed out Janlori Goldman, director of the Health Privacy Project Institute at Georgetown University. Employers, researchers, and others who receive and retransmit information -- such as law enforcement officials -- are not covered.
Ultimately, these issues will have to be addressed by Congress, they both agreed. A national law is needed to address these discrepancies in a manner that would be agreeable to all parties, they told the Senate panel. A national law is also needed to address the discrepancies now emerging between different state laws, they added.