ou know the drill — you appear for a first visit at a doctor’s office or treatment clinic and among the routine papers for your signature is a Notice of Privacy Practices that explains the federal privacy standards set by HIPAA. You sign that too and all is well… or is it? In fact, the paper you have just signed notifies you that your right to privacy concerning even your most personal health issues no longer exists.
A common misperception is that the “P” in HIPAA stands for privacy. Actually, though the “Health Insurance Portability and Accountability Act” was initially intended to help consumers obtain continual health insurance coverage after leaving a job, despite certain preexisting medical conditions, as well as provide standards for electronic transmission of health-care information. Protecting the individual right to privacy in passing those records along was a secondary concern — though an important one. The regulations to protect patient privacy put a burden on health-care providers and insurance companies — particularly as the nation moves toward development of a national health information system. Addressing those concerns (“administrative simplification” as it was called by Congress) resulted in a complicated and ultimately ineffectual law that, on the one hand, recognizes and protects an individual’s right to privacy with regard to health information — but, on the other hand, fails to delineate those privacy rights that individuals should have. All this was explained to me by James C. Pyles, a Washington, DC, attorney who specializes in health privacy issues and legal issues associated with HIPAA. “I find this ironic, in that the original intent of HIPAA was to protect consumer rights,” he told me.
Obviously doctors and other health-care providers need to be able to disclose information about diagnosis and treatments to insurance companies to the extent it is necessary for reimbursement — that’s not the issue. Rather, the problem is, the way HIPAA now reads makes it acceptable for doctors and insurance companies to use and disclose personal health information in identifiable form for routine purposes defined as treatment, payment or health-care operations — terms that are so broadly defined, says Pyles, that the “least imaginative insurance company can justify nearly any disclosure in any situation, even if the patient wishes to pay privately.” This right to disclose also extends to all business associates of insurance companies and physicians, with no requirement of an audit trail to keep records of these uses and disclosures.