Patient Privacy Rights

About HIPAA Summit Media Contact DONATE

Doctors, patients grapple with specifics of privacy rule

Howard Miller's office is primed for privacy. The computers have plastic shields to ward off prying eyes. The patient files are coded by number, not name. The files hanging outside the examining rooms face inward to hide names and ages.
But sometimes Miller, a Center City internist, thinks privacy protections have gone too far.
"I have this one huge Italian extended family I've been treating for years," he said. "One of them got sick and they were all calling to ask questions. And I couldn't say anything to them because they weren't on the list of contacts the patient had approved."
That's the only way Miller can comply with the patient-privacy rule of the federal Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The law profoundly changed how doctors talk to and about patients, as well as how patients themselves negotiate the health-care system.
But two years after the privacy rule took effect, there is still widespread confusion about who can give what medical information to whom and grumbling about bureaucracy and weak enforcement. There is an even deeper debate: Does the law protect or undermine patient privacy?
Tomorrow, that debate will be heard by the U.S. Court of Appeals for the Third Circuit in Philadelphia.
The Clinton administration required a patient's written permission to release confidential information for "routine purposes," such as treatment and payment. The Bush administration made consent optional. Now, patients simply sign a basic "notice of privacy practices."
In April, U.S. District Judge Mary A. McLaughlin in Philadelphia ruled that the new provisions did not violate patient privacy and that the government had no legal responsibility to "act affirmatively to protect such rights." Federal officials also said it would be too cumbersome to get consent every time an insurance company or medical specialist needed patient data.
Deborah Peel, for one, was appalled by the ruling.
"You can have your information disclosed for 'routine purposes' with no consent, no notice, no recourse. Excuse us, you have just eliminated a fundamental constitutional right," said Peel, a psychiatrist in Austin, Texas, and a plaintiff in the case with Citizens for Health, a patient advocacy group, and others.
Without a privacy guarantee, patients might withhold crucial information from doctors, fearing it could be used against them by bosses, banks and others.
"The joke is that soon you're going to call Domino's Pizza and they're going to know that they can't send the extra cheese because you've got high cholesterol," said plaintiff Janis G. Chester, who teaches psychiatry at Thomas Jefferson University.
The federal Health Insurance Portability and Accountability Act, which grew out of President Clinton's failed effort to revamp health care, was designed to reduce fraud and prevent people from losing insurance when they leave jobs. But the privacy rule soon became the most talked about part of the law.
It required written consent to release test results, diagnoses and other information to doctors, dentists, hospitals, HMOs, group health plans, insurance companies, billing companies and others. The rule also gave patients access to their records and the right to find out when and to whom they have been disclosed.
In the long term, HIPAA was supposed to simplify electronic health records, which would save money. In the short term, however, it has created inconsistencies from one institution to another and cost millions for training and paperwork, lawyers and compliance officers.
Laurinda B. Harman, head of Temple University's department of health information management, jokes that HIPAA stands for Huge Increase in Paperwork and Aggravation Act. "Is it hard to comply?" she asked. "No, but it's one more form."
Richard Campanelli, director of the federal Office of Civil Rights, which oversees HIPAA, believes the privacy rule has done exactly what it set out to do: give medical consumers power over their records. While acknowledging confusion early on, he said that most patients and providers now understand the boundaries of the law.
"People are very sensitive to their rights and they know that they have these rights," he said.
Of the 10,785 HIPAA complaints received by the agency, more than 60 percent have been resolved without penalties and 38 percent remain under investigation. Critics note only 170 were referred to the U.S. Department of Justice for criminal investigation - and not a single civil penalty has been issued.
Kate O'Brien, 24, of Lindenwold, N.J., believes the law has only complicated matters for consumers. A program specialist for the Association for Retarded Citizens in Camden, she was told HIPAA would not permit her to get her medical test result over the phone.
"I had to drive all the way over from Pennsauken to Voorhees to pick it up," she said. "Was it really necessary?"
The truth is: no. Doctors, with patient approval, can release information over the phone.
The act also has made it hard for some agencies to help those in their care.
Joe Young, deputy director of New Jersey Protection and Advocacy Inc., a medical advocacy group in Trenton, said that psychiatric hospitals sometimes refuse to contact family members when his mentally ill clients are in crisis - and cannot remember their medical history.
"It's wrong to freeze out family members who may be able to provide assistance," he said.
Still, many doctors acknowledge HIPAA has had some positive effects.
"It's created a new sort of awareness in the office, even in the idle chatter between physicians and the nursing staff," said urologist Al Ruenes of Central Bucks Urology in Warminster and Doylestown.
A few years ago, he said, doctors routinely left X-rays on light boxes, and it was not uncommon for a patient to overhear staff ask for "Mark Summer's CAT scan" over the intercom.
Many researchers complain that they can no longer recruit patients directly from doctors' records. They must rely on doctors for referrals.
"Most physicians are just too busy to do that," said Roberta B. Ness, a University of Pittsburgh epidemiologist, who saw recruits for one study fall by half after HIPAA.
But at the University of Pennsylvania, oncologist Julia Draznin said, new patients now sign several consents at once, including one for research. No more time-consuming searches for study volunteers.
"Things are definitely getting better" with HIPAA, she said. "Common sense prevails."
Contact staff writer Virginia Smith at 215-854-5720 or vsmith@phillynews.com.
HIPAA Myths and Facts.
Myth: One doctor's office cannot send a patient's medical records to another doctor's office without patient consent.
Fact: No consent is necessary.
Myth: Doctors cannot communicate with patients by e-mail.
Fact: E-mails, with proper safeguards, are permitted.
Myth: A patient cannot be listed in a hospital directory without consent and the hospital cannot share that information with the public.
Fact: Hospitals may provide a patient's name, location and general condition to the public unless the patient specifically opts out.
Myth: Clergy members are not entitled to information about hospitalized members of their religious affiliation unless they know the person by name.
Fact: Clergy are entitled to this information unless the patient objects.
Myth: Patient information cannot be shared with family members without patient consent.
Fact: Relevant information may be disclosed to relatives or friends named by the patient. In case of emergency or patient incapacity, the doctor's "professional judgment" prevails.
Myth: Family members may not pick up a patient's prescriptions.
Fact: Relatives or friends acting on patient's behalf may pick up prescriptions, but some pharmacies may prohibit this on their own.
Myth: Patients can sue health-care providers for not complying with HIPAA privacy rules.
Fact: Patients cannot sue. They can file written complaints with the federal Office for Civil Rights.
Myth: Patients' medical records cannot be used for marketing.
Fact: HIPAA permits the use of medical information for certain health-related marketing, such as a plan's health-related products or alternative treatments.
Myth: If a patient refuses to sign a form acknowledging receipt of privacy practices, a doctor or hospital can refuse treatment.
Fact: The law does not allow this.
Myth: HIPAA makes hospital fund-raising almost impossible.
Fact: Hospitals, with patient permission, may use or disclose basic patient information for fund-raising, but patients must be given the option of declining future fund-raising communications.
SOURCE: The Health Privacy Project