MEDICAL PRIVACY: ‘Sweeping’ Regulations Cause Much Debate
President Clinton unveiled sweeping medical privacy regulations Friday, adding fuel to an already "intense debate" that has erupted as technology makes it possible to "breach the security and privacy of health information on a scale that was previously inconceivable." Under the proposed rules, those medical records stored or transmitted electronically, as well as paper printouts of electronic transactions are protected (Pear, New York Times, 10/30). As he unveiled the 630-page package during an Oval Office ceremony Friday, President Clinton said, "With the click of a mouse, personal health information could easily, and now legally, be passed around without patients' consent to people who aren't doctors for reasons that have nothing to do with health care. One large employer in Pennsylvania had no trouble obtaining detailed information on the prescription drugs taken by its workers, easily discovering that one employee wasHIV-positive. This is wrong. ... These standards represent an unprecedented step toward putting Americans back in control of their own medical records" (Hargrove, Scripps Howard/Washington Times, 10/30). The administration noted that privacy concerns deter people from undergoing certain tests, including those for STDs (New York Times, 10/30). HHS Secretary Donna Shalala, who drafted the new policy, added, "We have worked very hard to do what common sense and common decency says should have been done a long time ago" (Ross, AP/Arkansas Democrat-Gazette, 10/30).
Not Far Enough?
Representatives of several physicians' groups notably absent from the ceremony said that the regulations do not go far enough in that they do not require that patients give consent before their records are shared, only that they be notified. "The AMA believes that the mere notice of a health plan's intended use is inadequate," said Dr. Donald Palmisano, a trustee for the American Medical Association. Under the Clinton administration's plan, the insurer would have to obtain the patient's permission before releasing the information for purposes unrelated to medical treatment or claims payment, however health plans could use health information without a patient's consent for the following reasons: "assessing the quality of care and the performance of doctors and nurses; developing clinical guidelines; setting premiums for the renewal of insurance contracts and investigating fraud." In theory, the rules would establish minimum protections for patients' privacy and would not override any provisions of state law that were more restrictive than the federal requirements. But William Bruno, an attorney for the American Psychiatric Association, said that patients stand to lose some of the protections they already have. Noting that currently, "many hospitals will not disclose medical records unless the patient gives consent," Bruno says that the government is now "saying it's not required. It's giving a green light for significant changes in current practice."
What's It Going to Cost?
The insurance industry objects "in particular, to a provision that would make them responsible for privacy lapses by companies that collaborate in the care of a patient. HMOs and insurers also are liable for any violation of the policy by their "business partners," including drugstores, lawyers, auditors, billing firms and consultants. But Kristin Bass, director of legislative affairs at the American Association of Health Plans, said that "an HMO would have little power over a drugstore that improperly sold information about a patient to a drug manufacturer," yet would be held responsible for the drugstore's behavior. These groups will have to follow "stringent new rules" for handling consumer's data, including training employees about medical privacy and designating an employee to act as a privacy point person who would monitor and install privacy and confidentiality protocols. The administration estimated that the new regulations would cost the health insurance industry $3.8 billion over five years, however, the insurance industry pegged the figure at 10 times that amount (Pear, New York Times, 10/30). A recent Blue Cross and Blue Shield Association study discovered similar confidentiality requirements would increase health care costs by $43 billion over the next five years (Rubin, AP/Los Angeles Times, 10/29). Federal officials estimated it would cost physicians, hospitals and HMOs more than $400 million to notify patients of their privacy rights, as required by the rules. In addition, the five-year cost of working out patient requests to correct medical records could top $2 billion. For violating the rules, an individual would be required to pay a civil penalty of $25,000, $50,000 and one year in jail for criminal "willful violations" and $250,000 and 10 years in prison if the offender tried to use or sell data for "commercial advantage, personal gain or malicious harm" (New York Times, 10/30).
The Wall Street Journal reports there are "significant gaps in the regulations," including the fact that paper records that have never been electronically transmitted are not protected. Also, lawyers, auditors, consultants, third-party administrators and several other individuals who come into contact with medical information are not barred from using patient records without permission (Wall Street Journal, 10/29). Even Clinton and Shalala have admitted the rules aren't completely comprehensive. During his presentation, Clinton said, "There are still protections we can give our families only if there is an act of Congress passed" (Hudson, Knight Ridder/Boston Globe, 10/30). Shalala added that "the administration still wants Congress to enact comprehensive legislation." House Ways and Means health subcommittee member Jim McDermott (D-WA) said, "President Clinton and Secretary Shalala have presented us a package that is generally good. ... (But) the most striking thing about these regulations is how they highlight the need for strong medical privacy legislation." Sen. Christopher Dodd (D-CT) added that he hoped the administration's action "will light a fire under Congress, so that we can deal with this critically important issues in a serious, bipartisan and comprehensive way" (Koffler, CongressDaily, 10/29). Sen. James Jeffords (R-VT) vowed to draft new legislation "to give patients and their health records the true privacy protection they deserve" (Ross, AP/ArkansasDemocrat-Gazette, 10/30). The public will have two months to comment on the proposals, and then the HHS is expected to issue final rules by Feb. 21, 2000 (New York Times, 10/30).
After Clinton presented the new rules, opinionmakers and experts offered their views:
- Clinton's regulations are a "good baseline on which to build stronger privacy rights for patients," according to an editorial in today's New York Times. But the "incomplete first step" warrants a closer look, as the rules "may need to be tightened before they become final." As it stands, there may still be too much disclosure without patients' consent, and the rules "do not directly govern how employers, life insurers or public health agencies handle medical information. Nor do they allow individuals harmed by a disclosure of confidential information to sue. Those broader protections are only possible through congressional legislation" (New York Times, 11/1).
- While Clinton "was at least working to allay a growing worry for patients, Congress this year has labored in the opposite direction," notes an editorial in today's Los Angeles Times, which points to banking reform legislation that "offers no safeguards against insurance companies sharing medical files with their banking affiliates. ... Until strict safeguards against such disclosures are in place, banking regulators should make a ban on the sharing of medical data a condition to any merger between an insurance company and a bank" (Los Angeles Times, 11/1).
- "These rules could place physicians in the difficult position of deciding what information about a patient can be shared with another doctor," says Mary Nell Lehnhard, senior vice president of Blue Cross and Blue Shield Association, writing a letter to the editor in today's New York Times. Noting that the proposed rules would "increase paperwork and costs," Lehnhard pegs the cost of compliance at $43 billion and warns that "political leaders must work with the health care community to keep patient records private without threatening the timeliness, quality or cost of care" (Lehnhard, New York Times, 11/1). She added, "We believe that all patients should have the piece of mind that comes from knowing their personal records are secure, and we are outraged when breaches of this trust occur. But why do we need 600 pages of regulations to protect medical records when the Bill of Rights takes only one page to provide Americans with all their basic rights. Why didn't the administration just simply spell out what activities are illegal?" (Richmond Times- Dispatch, 10/30).
- A Washington Post editorial lauds the new regulations as "basic privileges whose enshrinement in law was long overdue." The editorial notes that privacy bills were "gridlocked in Congress" because some were "unwilling to give up the chance to make bales of money on information about people's ailments, habits and medications" and expresses hope that those unhappy with the new rules won't try to extend Congress' deadline to enact a medical privacy law itself (Washington Post, 10/31).
- The "devil is in the details," a New York Post editorial asserts, and with the new privacy rules, Clinton has chosen to ignore another problem with health care -- "spiraling" costs. The editorial concedes that "some updating of privacy rules is likely needed," but the reason behind the new rules is that Clinton could not pass "up an opportunity to regulate" (New York Post, 10/31).
- Dr. Paul Appelbaum, vice president of the American Psychiatric Association, said, "The new regulations ... do not go far enough to repair the torn fabric of medical records privacy. People with mental illness have witnessed a steady erosion of privacy over the past 20 years, and we in the medical profession have seen first-hand the struggles our patients have had to endure as a result." Appelbaum suggested the rules govern both paper and electronic records (APA release, 10/29).
- Karen Ignagni, president and CEO of the American Association of Health Plans, said that the association is "concerned that certain provisions may have adverse unintended consequences for patients. We are committed to working actively with the administration to resolve these concerns" (AAHP release, 10/28).
- Chip Kahn, president of the Health Insurance Association of America, cheered Clinton for "taking steps to protect the confidentiality of Americans' medical records," but insisted that the new regulations would impede upon some of the work of insurers, health plans, doctors and hospitals. Kahn asserted that regulations "must allow this information to be used appropriately," such as when doctors, hospitals and health plans share information to inform consumers about potentially life-saving health screenings (HIAA release, 10/29).