Federal Medical Privacy Rule Poses New Challenges
The Health Insurance Portability and Accountability Act's medical privacy rule "is misunderstood by medical professionals," translating to "frustration -- and even peril" in some cases, the New York Times reports (Gross, New York Times, 7/3).
The HIPAA Federal Privacy Rule, implemented in 2003, allows health care providers to share patient medical records for the purposes of treatment and other "health care operations." Providers do not have to obtain written consent before they disclose medical records but are required to inform patients of their rights and make a "good-faith effort" to obtain written acknowledgment from patients that they have received the information. Providers must obtain consent from patients before they can disclose medical records in "nonroutine" cases (California Healthline, 6/20).
According to the Times, experts say that many health care providers misunderstand the medical privacy rule, have not trained their staff to apply it fairly, or are afraid of being fined or jailed, even though no medical provider has been penalized in four years for violating the rule.
Recent studies have found that some health care providers follow HIPAA privacy regulations "overzealously, leaving family members, caretakers, public health and law enforcement authorities stymied in their efforts to get information," according to the Times.
Unnecessary secrecy because of poor understanding of the medical privacy rule is a "significant problem," Mark Rothstein -- chair of a privacy subcommittee that advises HHS, which administers HIPAA -- said.
"It's drummed into [health care providers] that there are rules they have to follow without any perspective," Rothstein said, adding, "So, surprise, surprise, they approach it in a defensive, somewhat arbitrary and unreasonable way."
Susan McAndrew, deputy director of health information privacy at HHS, said that although problems have become less frequent, providers still hide behind the law. McAndrew said, "Either innocently or purposefully, entities often use this as an excuse. They say, 'HIPAA made me do it' when, in fact, they chose for other reasons not to make the permitted disclosures."
According to the Times, a positive effect of the medical privacy rule has been to make "confidentiality a priority as the nation moves toward fully computerized, cradle-to-grave medical records."
Sen. Edward Kennedy (D-Mass.), who sponsored the original legislation, said he is unhappy with the "bizarre hodgepodge" of regulations of the law and by HHS' failure to provide "adequate guidance on what is and is not barred by the law."
Kennedy and Sen. Patrick Leahy (D-Vt.) plan to introduce legislation that would create an office within HHS devoted to interpreting and enforcing medical privacy.
"In this electronic era it is essential to safeguard the privacy of medical records while insuring our privacy laws do not stifle the flow of information fundamental to effective health care," Kennedy said (New York Times, 7/3).