How would you feel about your personal health information flowing freely over the Internet between public health officials, healthcare providers, insurance and data clearinghouse companies, and others – without your permission?
If this doesn't sound like a good idea, it's time to become informed about federal health privacy law.
Today, when Americans visit a healthcare provider for services (including dental and eye exams), they receive a form with a title such as "Notification of Privacy Rights." Many assume that signing the form guarantees that personal information won't be shared with third parties. But the form offers no such guarantees. And neither does federal law.
In fact, the privacy rule established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legally permits healthcare providers to share patients' information with more than 600,000 health- and data-related entities – without a patient's consent. Yet the notification form doesn't clearly explain this.
Individuals control their information when they give consent; they don't with notification. When you sign a notification form, all you are doing is acknowledging its receipt. The HIPAA notification form offers no control over who sees your information and instead just tells you about some of the entities that can access your information, rather than asking for your permission.
Consequently, many physicians and other healthcare providers are urging Congress to strengthen privacy rights. They know firsthand that the HIPAA rule fails to ensure true confidentiality.
"...[T]he regulations under [HIPAA], which were intended to extend patient privacy as we moved from a paper-based system of medical records to a digital system, are a sham. HIPAA allows the routine release of personal health information without patient consent or knowledge, and even over a patient's objection…" stresses Dr. Janis G. Chester, president of the American Association of Practicing Psychiatrists.
As the ACLU put it, "HIPAA has so many medical privacy loopholes, it makes Swiss cheese look solid." The organization also points out that under existing federal regulations, the term "privacy" hasn't been well defined. The ACLU is urging Congress to define medical privacy as "patient control of electronic medical records."
Moreover, these organizations and others are lobbying for privacy amendments to key health Internet-technology (HIT) bills currently being considered in Congress.
Lack of privacy has serious consequences. It fosters making personal health information a commodity that businesses sell and trade in the marketplace, notes ACLU. Weak privacy rights also interfere with doctor-patient relationships. When drafting the HIPAA privacy rule, the US Department of Health and Human Services (HHS) noted that "Privacy violations reduce consumers' trust in the healthcare system and institutions that serve them." The ACLU noted recently that at least one third of Americans are not sharing their complete personal medical histories because they feel their privacy will be weakened in the name of efficiency. Additionally, without strong privacy rights, individuals can't take steps to adequately protect themselves from bad, lost, stolen, or misused data.
Meanwhile, more and more personal data is being collected during routine healthcare visits, including information about marital and sexual matters. A married woman (wedded for over 30 years) and mother of two adult children, said she was appalled when asked during a routine visit if she preferred men or women. She stressed that while she "has nothing to hide," she doesn't think it's anyone's business what her sexual preference is or when her first sexual encounter was (which is often asked during exams).
What's more, it is becoming easier to share healthcare information with just a click of a mouse. As HHS has noted, "Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals, and other healthcare professionals and institutions.... Today, however, more and more health care providers, plans, and others are utilizing electronic means of storing and transmitting health information…. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time."
Do Americans really want the intimate details of their lives and families shared so easily without their consent? If not, they need to urge Congress to establish stronger privacy rights. Tinkering with HIPAA won't do it. That would just keep a lot of people busy rewriting regulations that don't guarantee privacy. Rather, Congress needs to pass a new law that defines "privacy" and upholds the precious ethic of consent. The new law should guarantee individuals' freedom to decide whether to be part of electronic medical-record and genetic databases for years to come.