Government

One year later, mixed reviews for privacy rule

Some say there aren't enough protections; others complain of overzealous interpretation.

By Joel B. Finkelstein — Posted May 3, 2004

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Washington -- One year after implementation, the federal health privacy rules are still generating controversy.

Privacy advocates say the government isn't doing enough to enforce the rule. Some experts argue that the regulation itself is a problem because it doesn't do enough to protect privacy, while still others say that the health care community is occasionally going too far and limiting legitimate access to patient information.

Despite these varying assessments, federal officials and many in the medical community say they are happy with the progress they have made toward full compliance with the rule.

At last count, the Dept. of Health and Human Services' Office of Civil Rights had received 5,350 complaints -- a steady flow of around 100 a week -- alleging infractions of the privacy rule.

Enforcement of the regulation, which was mandated as part of the Health Insurance Portability and Accountability Act, is complaint driven.

The office has managed to close about 47% of those cases, often with little more than a phone call explaining to the physician or other entity what the rule says and what they need to do to comply.

Physician practices top the of list of those named in privacy complaints, followed by hospitals, pharmacies and outpatient facilities, OCR said.

It's no coincidence that the top four are also the groups having "routine and direct contact" with patients, said OCR Director Richard Campanelli.

Types of complaints

The types of complaints have remained fairly consistent: impermissible use or disclosure of protected health information, a lack of adequate safeguards to protect identifiable information, refusal or failure to provide an individual with access to or a copy of his or her records, the disclosure of more information than is minimally necessary to satisfy a request, and failure to provide the individual with a notice of privacy practices.

Many of these infractions are based on simple misunderstandings of the law. More complex cases are still being processed by OCR, although none has resulted in penalties yet, Campanelli said.

Several dozen cases have been turned over to the Dept. of Justice for possible criminal prosecution. A Justice Dept. spokesman would not comment on their status.

The lack of civil or criminal charges in the rule's first year has some privacy advocates complaining that the government is taking too passive an approach to implementation.

The Washington, D.C.-based Health Privacy Project recently released a HIPAA privacy checkup that gives the Bush administration a failing grade because of "lax enforcement and minimal public education."

Campanelli responded to those allegations. "Our approach is to adopt the most efficient means to make sure that patients get their rights and protections," he said. "We anticipated, and it has proven true so far, that the most effective means of doing that is through voluntary compliance.

"If we feel like we have a problem and we can't get the cooperation of the covered entity in proceeding, those are cases where it's going to be more appropriate to proceed with penalties," he added.

For most doctors, compliance with the privacy rule has been "business as usual," said AMA Trustee Joseph Heyman, MD. The medical profession has always placed a very high priority on patient privacy, he said.

But for physicians in solo and small practices, posting and handing out the notice of privacy practices can be a time-consuming and costly administrative burden, he said.

Aside from that unfunded mandate, instances of overly aggressive interpretation of the privacy rule have caused trouble for some physicians. Stories about immediate family members being refused information about a sick relative's hospitalization or a doctor's inability to get critical medical information about a patient from another physician have appeared in various news media.

"Many in our profession may think that because it's a law, it means they have to do more than they do," Dr. Heyman said.

The rule is really little more than a validation of the privacy considerations that physicians have always embraced, he said. But it offers the benefit that business partners now are bound by the same high standards.

While HHS officials think implementation is going smoothly, they are keeping their ears to ground for problems. Changes to the rule can be made once a year.

Several groups are ready with suggestions. In their checkup, privacy project officials called for lawmakers to give patients an individual right to sue if they are not satisfied by remedial actions taken by the federal government. They point to federal officials' failure to impose civil penalties as one reason why individuals might not be satisfied with the current process.

Some doctors also question last-minute changes to the rule that removed the need to get patient consent to share protected health information among physicians and others.

The California Medical Assn. recently passed several resolutions supporting congressional legislation to restore patients' right to consent and to reaffirm the importance of protecting the confidentiality of not only individual patients but also groups of patients.

Those resolutions were, at least in part, motivated by attempts by the Justice Dept. to subpoena the health records of women who received late-term abortions from several physicians who have sued to stop a "partial-birth" abortion ban from going into effect, said Stephen J. Walsh, MD, an advocate for the measures.

"The [Bush] administration used the rule to say that they can see patients' health records," he said.

In requesting the subpoena, the Justice Dept. argued that "individuals no longer possess a reasonable expectation that their histories will remain completely confidential."

Physicians are concerned that patients no longer can opt out of information sharing with health plans, employers, pharmacists and others.

"Because of the rule, our health records can be accessed by all manner of people without our knowledge or consent," Dr. Walsh said.

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn