Medical record portability may erode patients’ rights
Medical record portability may erode patients’ rights
Some pending legislation limits patients’ choices
As the deadline nears for government adoption of regulations that will protect the confidentiality of patient medical information, some experts fear that the rush to make health information accessible will erode patients’ rights to privacy and leave ethics committees making difficult decisions for hospitals.
"We are very concerned that some of the bills on Capitol Hill and even the President’s privacy regulations eliminate the choice and control citizens now have over their medical information," says James Pyles, a privacy expert and health care attorney who lobbies Congress on behalf of the Chicago-based American Psychoanalytic Association. "It is ironic that the new regulations are designed to increase public control, when, in fact, they decrease or eliminate it in most cases."
The Health Insurance Portability and Account ability Act of 1996 required Congress to pass regulations protecting the confidentiality of individually identifiable patient medical information by Aug. 21, 1999. In the event Congress failed to do so, the Department of Health and Human Services (HHS) would be required to implement its own confidentiality regulations by Feb. 21, 2000.
Although four separate legislative measures were introduced last year, none passed, and HHS Secretary Donna Shalala proposed departmental regulations on Oct. 29, 1999.
As this issue of Medical Ethics Advisor went to press, HHS announced it was delaying implementation of the regulations due to an overwhelming number of comments on the proposed rule. The comment period was extended, and a date for final implementation of the rule has not been set.
The main sticking point for Pyles is that the proposed regulations do not specifically require obtaining the patient’s consent for releasing identifiable medical information.
"As the regulations are currently written, the patient would not have the choice to not give out the information," he says. "and they don’t require any record to be kept of the disclosure. So the patient would not only not know when and where the information went out, they would have no way of finding out."
Although the regulations state that the patient’s right to privacy should not be violated and that agencies and people who obtain individually identifiable information through "false pretenses" should be subject to punishment, the regulations do not provide for enforcement of those protections and, essentially, remove the individual patient’s ability to protect himself, says Pyles.
"The rules state the individually identifiable information can be given out if the purpose is for one of three things: medical treatment, payment, or for health care operations. There is no requirement that the patient consent," Pyles explains. "The terms are so broad that almost any organization could make an argument to obtain that information, and the patient would not only have no power to keep the information private, he or she would not even be informed that the disclosure was made."
Although the regulations were designed with the intent of facilitating the sharing of medical information among providers and throughout the health care system, the end result will be a massive violation of patient-provider trust, says Pyles.
Once identifiable patient information is disclosed to one source, it can be disclosed again and again without the patient’s consent or even knowledge, notes Pyles.
"I don’t think this proposal was thoroughly thought out," he says. "If the public cannot trust that their private medical information can be kept confidential, then they will decide to seek treatment underground, outside the system."
The Chicago-based American Health Infor mation Management Association (AHIMA), a professional organization representing 40,000 health information management professionals, submitted comments on the proposed rule Jan. 20. In general, AHIMA supports the HHS effort to form a "clear and consistent set of privacy standards" for the entire country.
"The current legal obligation of health care providers to maintain the confidentiality of health information is based on what the Office of Technology Assessment found to be a patchwork quilt of federal and state laws," wrote AHIMA executive vice president/CEO Linda L. Kloss, MA, RHIA.
"We commend HHS for proposing standards consistent with the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996," she wrote.
Regulations don’t go far enough
However, the association did make several recommendations to strengthen the privacy protections in the proposal, including the following:
• add language that would require agencies obtaining information to only acquire the minimum amount of identifiable information necessary for the performance of their specific treatment or health care task and to destroy the record of the information afterward;
• establish a standard for "de-identifying" health information so the patient’s identity is not discernible and outline penalties for agencies that receive de-identified information and then "re-identify" it or reinsert information linking the information to a specific patient;
• add language that would offer more pro tection for the patient against unauthorized re-disclosure of identifiable information from the covered agency to a third party.
Interestingly, AHIMA did not object to the re moval of the patient’s right to restrict the release of identifiable information to third parties.
"While we believe individuals should have the right to access, copy, amend, and correct their information, giving them the right to request restricting its uses and disclosures is in contrast with the intent of the proposed rule," AHIMA’s comments state. "Permitting patients to dictate the flow of their health information for treatment, payment, and health care operations will seriously hamper the ability to achieve the intentions stated above."
Pyles considers that opinion to be dangerous. "The regulations propose to substitute security measures to protect the information [in place of requiring patient consent for release]," he says. "But the regulations also concede that they don’t have authority under the statute to institute effective enforcement of these protections. They are rendering the patient incapable of protecting themselves, and then the government cannot provide substitute protection. The bottom line is the right to privacy is eliminated."
In the event the regulations are put into effect, hospitals will be placed in the uncomfortable situation of deciding when it is appropriate to release identifiable medical information. Most likely, those decisions will be brought to the ethics committee for resolution.
"Right now, if a physician or hospital receives a request for a patient’s medical record, the only thing they can do is ask for the patient’s consent," Pyles says. "If the patient does not consent, that is the end of it."
Under the proposal, however, the provider can be placed in the position of deciding whether the purpose of the request for the information is for "treatment, payment, or health care operations."
"It could be an employer, a health plan, or insurer or any other individual or agency making the request," Pyles says. "As long as they convince the provider that they have a valid reason for giving the information, it would be legal. And what if the provider makes the decision to release that information and, at a later date, a court decides the disclosure violated the patient’s privacy?"
Implications not well-understood
The damage release of confidential medical information can have is not well-understood by many Americans, including some of our country’s leaders, says Claire Dixon-Lee, PhD, RHIA, immediate past president of AHIMA.
During her tenure, AHIMA sent a letter to Sen. John McCain (R-AZ) asking the presidential candidate to reconsider his decision to release his entire medical record to the media.
"We as the public are, essentially, hiring the president," she says. "Are we going to require all applicants for that job to turn over their medical information? What does that say about other employers’ ability to demand this information?"
The American public needs to become more savvy about what that might mean, she says. "We need to do more education with the public about what information is contained in the medical record." For example, a given patient’s medical history will contain not only information about the patient himself or herself, but about his parents and possibly siblings, she notes. Clinicians use the medical record to document their decision-making process in deciding for or against certain treatments or therapies.
"When you consider allowing the public to have access to this information, you are really releasing information about more than just your own personal medical history," she advises.
If physicians feel the documentation of the process they go through to make decisions will be shared with multiple third and fourth parties, they may become reluctant to put that information in there, she adds.
"What we don’t want to see happen is physicians creating shadow’ records, where they have the official medical record and then another record detailing the process that they go through to make a treatment decision."
Currently, the medical record is designed to include information about the patient that is shared with other providers who care for that patient, not for anyone who just might be interested in knowing, she says.
The Washington, DC-based American Asso ciation of Health Plans also opposes the HHS proposal, but on the grounds that the privacy requirements are so broad that they afford patients too much power to restrict access to their medical information.
Pyles argues that health plans and other agencies wanting health information for the purposes of statistical analysis or quality control should be able to use the information without the patients’ identifying information attached.
"We have no objection to the release of information if it is stripped of all identifying factors," Pyles notes. "Then it does not violate a person’s right to privacy."
• For the AHIMA comments on the proposed regulations, go to the organization’s Web site: http://www. ahima.org/privacy.comments.html.
• For a copy of the proposed regulations from the Department of Health and Human Services, see the Nov. 3, 1999, Federal Register, p. 59,917.
• James Pyles, American Psychoanalytic Association, 222 N. LaSalle St., Suite 400, Chicago, IL 60601.
• Claire Dixon-Lee, P.O. Box 285, Oshtemo, MI 49077.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.