Patient Privacy Rights

About HIPAA Summit Media Contact DONATE

How did the Amended HIPAA Rule eliminate my medical privacy?

It eliminated the traditional rights and expectations of individuals not to have their personal health information used or disclosed without their consent.

In place of upholding our privacy rights, HIPAA only gives us the right to “request” restrictions on the use and disclosure of our personal identifiable health information. It does NOT guarantee that we can restrict who can see and use our medical records. Section 164.522(a) (1). The new Rule is quite specific that “a covered entity is not required to agree to a restriction” requested by an individual. Section 164.522(a) (1) (ii). Accordingly, the “right to restrict” is really a “right to beg” for restrictions. Covered entities will have a disincentive to grant requests for restrictions on use and disclosure because, because if they agree, they must abide by those agreements and then could be sued for violating the agreements. Section 164.522(a)(iii)Further, covered entities, such as physicians and other direct treatment providers, are unlikely to be able to enter into such agreements even if they wanted to, because such agreements will conflict with policies and procedures imposed by health insurers who require the full disclosure of all health information regardless of the individual’s wishes.

The demands of health insurers will be very difficult for physicians to oppose since insurers were granted “regulatory permission” by the federal government to use and disclose our personal health information for all “routine” purposes.

Example: It is unlikely that a depressed person would have the presence of mind, after having attempted suicide, to ask the hospital and physicians to restrict the use and disclosure of his/her health information. It is likely that a depressed person, like most other Americans, would assume that their medical records would never be used or disclosed without his/her consent. (This is a “common belief” among citizens today, according to the original Rule. 65 Fed. Reg. at 82,472.)

Even if a depressed person had requested that the use and disclosure of his/her sensitive medical treatment records be restricted, the hospital and physicians would have been under no obligation to agree to any such restriction.