It is important to note that the HIPAA privacy rule permits public-health workers to use and disclose individually identifiable health data without patients' authorization. This is a major loophole that allows patients’ personal health information to be shared with many others—without their consent. (See 45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information; section 164.512 “Uses and disclosures for which an authorization or opportunity to agree or object is not required.”)Further, the information below should be an eye opener.
Proposed Changes to Privacy Rule Won’t Ensure Privacy
The federal government once again is modifying the HIPAA privacy rule. This time around it’s modifying the rule to incorporate legal requirements in the economic stimulus law passed in 2009. But since that law doesnot require consent before health information is shared for most purposes (including treatment, payment, and health-care operations), the modifications will fail to truly protect health privacy rights. IHF first reported on this in March 2009: http://forhealthfreedom.org/Newsletter/March2009.html#Article2
IHF noted that while the stimulus law aimed to prohibit the sale of electronic health records, the exceptions are so broad that it fails to meet its purported objective. In fact, the stimulus law actually permits the selling of Americans’ electronic health records for public-health and research purposes—without patients’ consent. The stimulus law also limits insurers’ access to health data, but only if patients pay out-of-pocket and forgo insurance reimbursement.
Additionally, the stimulus law expanded the number of people authorized to access patients’ personal health information without patients’ consent. Previously HHS estimated that about 600,000 covered entities (and their employees) would have access to patients’ data for many purposes. However, the stimulus law added some 1.5 million “business associates” who can legally access patients’ health records—without patients’ consent. Now over 2 million health-related organizations and their business partners will have legal access to patients’ health data without consent in many circumstances (see table below).
Number of Health-Care Entities and Business Associates With Access toPatients’ Health Information under HIPAA Privacy Rule
Business Associates* (conduct business on behalf of entities listed below)
Office of MDs, DOs, Mental Health Practitioners, Dentists, PT, OT, ST, Audiologists
Durable Medical Equipment Suppliers
Home Health Service Covered Entities
Outpatient Care Centers***
Medical Diagnostic, and Imaging Service Covered Entities
Other Ambulatory Care Service Covered Entities (Ambulance and Other)
Hospitals (General Medical and Surgical, Psychiatric, Substance Abuse, Other Specialty)
Third Party Administrators Working on Behalf of Covered Health Plans
Health Insurance Carriers
Total Entities and Business Associates
* According to HHS, examples of business associates include third-party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information.
** Includes nursing care facilities, residential mental retardation facilities, residential mental health and substance abuse facilities, community care facilities for the elderly, and continuing care retirement communities.
*** Includes family planning centers, outpatient mental health and drug abuse centers, other outpatient health centers, HMO medical centers, kidney dialysis centers, freestanding ambulatory surgical and emergency centers, and all other outpatient care centers.
Source: “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” RIN: 0991–AB57, Federal Register, Vol. 75, No. 134, July 14, 2010 (see pages 40872, 40906, 40907, 40911).
Thus, the stimulus law expanded the number of people who can access patients’ health information but stillfailed to give patients the final say in who may—and may not—see their most personal health records. Rather than tinkering around the edges modifying the weak HIPAA privacy rule (as required by the stimulus law), it’s time to call on Congress to change the law to ensure that patient consent is required before personal health information is shared for any purpose, including public health.
What’s more, although the stimulus law doesn’t give patients the right to control the electronic flow of their health information, it does require the secretary of HHS to post a list of breaches of “unsecured protected” (HHS’s term!) health information affecting 500 or more individuals. The breaches are posted here:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
- “HHS Releases Proposed HIPAA Rule Extending Mandate to Business Associates,” Kendra Casey Plank, BNA’s Health Care Policy Report, July 12, 2010.
- “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” RIN: 0991–AB57, Federal Register, Vol. 75, No. 134, July 14, 2010.