Proposed privacy regs would allow trolling’ through patient records

Advocates offer qualified support, chide Congress for lack of legislation

Long-awaited federal regulations on medical privacy made their debut in early November to some protests from a leading physician group and the cautious approval of the health insurance industry. Key advocates seemed equivocal.

"The Administration has made significant headway where Congress could not to restore public trust and confidence in our nation’s health care system," said a statement from Janlori Goldman, director of the Health Privacy Project at Georgetown University in Washington, DC. "When finalized, these landmark regulations will be the first enforceable federal health privacy rules," she said.

The proposed regulations implement the federal 1996 Health Insurance Portability and Accounta-bility Act (HIPAA), which calls for Health and Human Services (HHS) to develop such rules given Congress’ failure to approve privacy legislation by Aug. 21 of this year.

Activities covered by the proposed privacy protections fall into two broad categories. (See fact sheet, p. 3.) The first category consists of treatment, payment, and health care operations. The second category addresses other purposes such as law enforcement, oversight of the health care system, research, and public health. The draft regs acknowledge that HHS’ scope is limited in this second category.

The rules would apply to certain kinds of information, not to specific records, and the protections would kick in once this information is transmitted or maintained electronically, regardless of whether it is later printed, spoken, or transferred to some other form. The protections also apply to the original paper version of information that is converted to electronic form.

While recognizing they provide some privacy protections with regard to financial and similar uses of identifiable data, the American Psychiatric Association in Washington, DC, has "grave concerns" about the proposed regulations, says association vice president Paul S. Appelbaum, MD. He’s appalled that the regulations would appear to allow physicians to go "trolling" through medical records of individuals other than their patients. He cites HHS language in the preamble on the right to use and disclose protected health information for treatment purposes:

We intend that the right to use and disclose protected health information be interpreted to apply for treatment and payment of all individuals. For example, in the course of providing care to a patient, a physician could wish to examine the records of other patients with similar conditions. Likewise, a physician could consult the records of several people in the same family or living in the same household to assist in diagnosis of conditions that could be contagious or that could arise from a common environmental factor. A health plan or a provider could use the protected health information of a number of enrollees to develop treatment protocols, practice guidelines, or to assess quality of care. All of these uses would be permitted under this proposed rule.

The ability of providers under the regulations to share identifiable health data with consultants, lawyers, accountants, and other "business partners" raises a red flag with James Hodge, JD, LLM, adjunct professor of law at Georgetown University Law Center. He’s not comforted knowing that the regulations require a contractual relationship between the providers and their business partners before the data could be shared. "I’ll be the first to tell you, when you open the door to that type of exchange of data — to unidentified business partners — I think you begin to weaken the effect of the regulation," he says.

Intended use of the data for government purposes also concerns Mr. Appelbaum, who serves as professor and chair of the department of psychiatry at the University of Massachusetts Medical Center in Worcester, MA. According to the preamble to the regulation, HHS intends to "permit covered entities to disclose protected health information for inclusion in state or other governmental health data systems without individual authorization when such disclosures are authorized by state or other law in support of policy, planning, regulatory, or management functions."

It would be hard to find a government agency that would not have a use for identifiable information for "policy, planning, or regulatory functions," Mr. Appelbaum says.

The regulations supercede any conflicting state laws, but allow states to pass tougher privacy regulations if they so choose. So-called floor preemption is a "very responsible approach," says Mr. Hodge, who directed a project at the law center, separate from Ms. Goldman’s Health Privacy Project, to develop a model state privacy act.

He says he’s not sympathetic to the concern of the Health Insurance Association of America about the burden of complying with a patchwork of privacy laws in 50 states and the District of Columbia. "They’ve been living with that for the last 100 years, and they can continue to deal with that."

Mr. Hodge notes that the regulations expand an individual’s access to his or her own health data and, importantly, ought to boost the public’s confidence that health data are private. But he does join advocates, the insurance industry, and HHS in noting that the HIPAA and the proposed regulations address only part of the full range of protections needed to ensure the privacy of health information.

"This is not a comprehensive health privacy act that applies to all health data regardless of the source or regardless of the purpose for which they are exchanged. This is an important part of the privacy puzzle, but it’s not the complete part," says Mr. Hodge.

Still, the publication of the regs seems to be an acknowledgement by the Health Care Financing Administration of what is voiced by observers on all sides of the issue — that given other health care priorities, Congress is unlikely to take up privacy legislation again anytime soon.

The proposed rule was published in the Federal Register on Nov. 3 and will be open for public comment until Jan. 3, 2000. The full text of the proposed rule is found at http://aspe.hhs.gov/ admnsimp/.

Contact Mr. Appelbaum at (508) 856-3066 and Mr. Hodge at (202) 543-2992. Mr. Hodge is lead author of a recent analysis of legal issues in health data privacy. (See: Hodge Jr. JG, Gostin LO, Jacobson PD. Legal issues concerning electronic health information-Privacy, quality, and liability. JAMA 1999; 282:1,466-1,471.)