|
|
|||
|
|||
|
|
Media and Feds Whitewash Invasive Medical 'Privacy' Rules Charlotte TwightEditor’s note: This is part three of an article on how federal regulations that purportedly protect medical privacy have in fact done the opposite. Part one: Medical 'Privacy' Regulations Destroy Privacy. Part two: Rules Advance a National ID. For those who have learned about the federal medical privacy rules through the popular media, the benefit would seem clear. The New York Times, for example, reported the forthcoming final rules under the heading "U.S. Plans Tighter Rules on Medical Files’ Privacy” (Pear 2000). Another article described the final HHS rules as "even more protective of consumers’ privacy than the Clinton administration had at first proposed, prompting the industry to increase its objections” and creating what consumer advocates regarded as "a milestone in the history of American medicine, the first comprehensive federal standards for medical privacy” (Pear 2001, A17). Again and again the media echoed the HHS summary of the rule, which proclaimed that "the use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information” (U.S. Dept. of HHS OPE 2000, 82462). Indeed, it is difficult to find in the popular press any report that questions the strength of these privacy protections or suggests their privacy-eroding impact. Journalists, and the Public, Need to Check the Fine Print One has to read the regulatory fine print, lots of it, to see the holes. As I show here, the planned result of the regulation is not medical privacy. Rather, the language of privacy provides window-dressing intended to legitimize the nationwide standardization of medical data that will facilitate access to personal medical information on a scale never before experienced in the United States. Playing the central roles are:
While continuing to proclaim the "importance of privacy” and to assert that "privacy is a fundamental right,” HHS created a rule that dramatically reduces the medical privacy of all Americans (U.S. Dept. of HHS OPE 2000, 82464). Unfortunately, the banner of "privacy” has been waved to marshal public support for federal rules that actually portend privacy’s demise. Curious Terminology First, some terminology. The basic structure of the HHS privacy rule distinguishes consent from authorization for the use or disclosure of individually identifiable health information (called "protected health information”), and it further distinguishes disclosures with either consent or authorization from those without such permission. Consent, by definition, pertains to the disclosure of protected health information to "carry out treatment, payment, or health care operations” (U.S. Dept. of HHS OPE 2000, 82805, §164.502). Authorization pertains to the disclosure of protected health information for purposes other than treatment, payment, or health care operations. Contrary to apparent restrictions in HIPAA, the HHS privacy rule defines protected health information expansively to include not only records transmitted by or maintained in electronic media but also information "transmitted or maintained in any other form or medium,” thereby putting the paper records of our medical histories within the rule’s domain.[3] Similarly, the term health care operations is broadly defined to include even such activities as organizational fundraising and the marketing of medical products and services (U.S. Dept. of HHS OPE 2000, 82803-4, §164.501). Covered entities — health care providers, health plans, and health care clearing-houses — are allowed to use or disclose protected health information to carry out treatment, payment, or health care operations either (a) with the valid consent of the subject individual or (b) without his consent if the use or disclosure falls within the listed "exceptions” to the consent requirement. Likewise, covered entities may use or disclose protected health information for purposes other than treatment, payment, or health care operations either with the valid authorization of the subject individual or without his authorization if the use or disclosure falls within the listed "exceptions” to the authorization requirement. Therefore, two pivotal issues are the meaning of consent and authorization under the HHS regulation and the scope of the exceptions to the consent/authorization requirements.
Consent, Authorization and Opportunities to Object Consider first the situations in which the HHS privacy regulations require the patient’s consent as a precondition for disclosure of his medical information. Apart from the exceptions to be discussed later, the general rule is that a health care provider "must obtain the individual’s consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations” (U.S. Dept. of HHS OPE 2000, 82810, §164.506a). So far so good. Next, however, the regulations state that a covered health care provider "may condition treatment on the provision by the individual of a consent under this section,” and that a health plan "may condition enrollment in the health plan on the provision by the individual of a consent under this section sought in conjunction with such enrollment” (U.S. Dept. of HHS OPE 2000, 82810, §164.506b, my emphasis). Coerced Consent In other words, although all health care providers and health plans are required to obtain consent in these cases, they can refuse to provide services unless this "consent” is forthcoming. Under the HHS privacy regulations, the patient therefore has no meaningful choice about this so-called consent; the patient’s only available alternative is to forgo medical treatment. Our health care providers will offer us the following deal: Cooperate and sign the consent form or be deprived of medical care. Coerced consent might be a more apt term.[4] Moreover, the rules provide no assured legal channel by which a patient may restrict disclosure of personal medical information. Driving that point home, the regulation requires that a valid consent form must state that the "individual has the right to request that the covered entity restrict how protected health information is used or disclosed to carry out treatment, payment, or health care operations,” but it adds that "the covered entity is not required to agree to requested restrictions” (U.S. Dept. of HHS OPE 2000, 82810, §164.506c, my emphasis; see also 82822, §164.522). HHS was equally clear in explaining the patient’s lack of a legal right to sue over violations of medical privacy. In response to public comments arguing that "individuals should be able to sue for breach of privacy,” HHS stated, "We agree, but do not have the legislative authority to grant a private right of action to sue under this statute” (U.S. Dept. of HHS OPE 2000, 82566). The rules regarding authorization resemble those regarding consent. The general rule is that covered entities "may not use or disclose protected health information” without a valid authorization (U.S. Dept. of HHS OPE 2000, 82811, §164.508). Compared to the consent regulations, the authorization rules more extensively restrict covered entities’ ability to withhold medical services if a patient refuses to authorize disclosure of protected health information. Of course, there are exceptions, which allow the withholding of research-related treatment as well as the denial of enrollment and benefit eligibility if access to relevant information is not authorized. As with the consent regulations, however, the most significant exceptions are set forth in a separate section. Finally, a section labeled "Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object” deals with disclosures for facility (for example, hospital) directories and disclosures to family members and others directly involved in an individual’s care. For such disclosures, this section removes the covered entity’s obligation to obtain a patient’s consent or authorization if the patient, given an opportunity to agree or object to a disclosure, does not object (U.S. Dept. of HHS OPE 2000, 82812, §164.510). The regulation states: "A covered entity may use or disclose protected health information without the written consent or authorization of the individual ... provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the disclosure in accordance with the applicable requirements of this section” (ibid., my emphasis). Worries about the HHS privacy rule, however, do not stop here. Explicit legal power for our doctors and other covered entities to disclose our personal medical records without our permission is created by a subsequent section of the regulation that lists exceptions to the consent, authorization, and "agree or object” provisions. Next: Spreading your private medical information from agency to agency.
Footnotes 4. HHS itself stated that "concern about the coerced nature of these consents remains” (U.S. Dept. of HHS OPE 2000, 82473). As economist Paul Heyne once explained, to coerce is "to induce cooperation by threatening to reduce people’s options,” whereas to persuade is to "induce cooperation by promising to expand people’s options” (1997, 363, emphasis in original).
This article is adapted with permission of the publisher from the article "Health and Human Services 'Privacy' Standards: The Coming Destruction of Medical Privacy," by Charlotte Twight, in The Independent Review: A Journal of Political Economy (Spring 2002, vol. VI, no. 4, p. 485-511). © Copyright 2002, The Independent Institute, 100 Swan Way, Oakland, Calif. 94621-1428; http://www.independent.org. Charlotte Twight is a professor of economics at Boise State University.
Read more on this subject in related Hot Topics:
A product that might interest you:
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
| All Rights Reserved © 2009 NewsMax.Com |