|
|
|||
|
|||
|
|
'Privacy' Rules Spread Your Personal Medical Information Charlotte TwightEditor’s note: This is part four of an article on how federal regulations that purportedly protect medical privacy have in fact done the opposite. Part one: Medical 'Privacy' Regulations Destroy Privacy. Part two: Rules Advance a National ID. Part three: Media and Feds Whitewash Invasive Medical 'Privacy' Rules. A provision that facilitates virtually unfettered sharing of our medical information between government agencies is tucked away on page 21 of the HHS regulation’s fine print.
This provision allows certain government health plans, such as Medicare or the State Children’s Health Insurance Programs (SCHIP), to disclose individually identifiable medical records to other government agencies without patient consent. Its first sentence states:
A health plan that is a government program providing public benefits may disclose protected health information relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information in a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation. (U.S. Dept. of HHS OPE 2000, 82818, §164.512[k][6], my emphasis) Invading Privacy in the Name of Privacy In other words, patient information may be shared between government agencies and combined with data from other government agencies in a comprehensive data system whenever such disclosure is merely authorized (not necessarily mandated) by statute or regulation. HHS chose to put its imprimatur — in the name of privacy! — on the widespread sharing of personal medical data without patients’ consent, endorsing this behavior rather than restricting it. Nor is that all. The second and final sentence of the provision extends this approval to all "covered entities” — not only health plans but also health care providers and clearinghouses — that are government agencies:
A covered entity that is a government agency administering a government program providing public benefits may disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs. (U.S. Dept. of HHS OPE 2000, 82818, §164.512[k][6]) )
Make no mistake: the result is a validation of the existing widespread sharing of people’s medical information, without their consent, among a broad array of government programs, including Social Security, Medicare, Medicaid, and even the food stamp program. Though HHS insists that the information can be shared only for eligibility determinations and not for other purposes, there is no mechanism in place to enforce such fine distinctions. Once the data are shared, a single computer keystroke can evade even the purest of regulatory intentions.
Rather than protecting the privacy of our medical records, this provision — explicitly allowing disclosure of our medical records, without our permission, between "government programs providing public benefits” — reinforces and validates a growing array of disclosures undertaken by Congress and federal regulatory agencies. Even these disclosures, however, represent but the tip of the iceberg. Uncontrolled Redisclosure of Medical Information The threat to privacy that the HHS regulations pose is multiplied a thousandfold by the redisclosures of our medical records that they permit. As we have seen, the regulations enumerate the many categories of recipients to whom doctors and other covered entities may legally transfer our medical records, either with or without our consent or authorization. These recipients include many individuals and organizations that are not themselves covered entities. A giant hole in the regulations, which the HHS repeatedly acknowledges, is that they do not control most redisclosure of our medical records by authorized recipients who are not covered entities. As a result, the nationwide cornucopia of standardized personal medical information now being created will be disclosed to thousands of parties whose subsequent redisclosure of the information is wholly uncontrolled. At the heart of the redisclosure problem is a provision allowing disclosure of patients’ medical records, without their consent, to "business associates” of covered entities. A business associate is defined as any person who, on behalf of a covered entity, either (a) helps to perform a "function or activity involving the use or disclosure of individually identifiable health information” — functions such as claims processing, claims administration, data analysis, utilization review, quality assurance, billing, benefit management and the like — or (b) provides "legal, actuarial, accounting, consulting, data aggregation ..., management, administrative, accreditation, or financial services” to the covered entity, "where the provision of the service involves the disclosure of individually identifiable health information from such covered entity” to the person (U.S. Dept. of HHS OPE 2000, 82798, §160.103). In short, when business relationships entail covered entities’ disclosure of personal medical records to other firms, those other firms are regarded as business associates in the regulation. And many, perhaps most, business associates are not covered entities under the HHS rules: they are ordinary firms. Because HHS has no direct jurisdiction, under HIPAA, over business associates that are not covered entities, it has attempted to control them indirectly through the covered entities. The mechanism is a required business associate contract, whereby a covered entity must obtain "satisfactory assurance that the business associate will appropriately safeguard the information” (U.S. Dept. of HHS OPE 2000, 82806, §164.502e).[5] When a business associate is not a covered entity, however, enforcement of the contract is at best weak and indirect. All HHS can do is discipline the covered entity that created the business associate relationship, but it will do that only if
the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary. (U.S. Dept. of HHS OPE 2000, 82808, §164.504[e]) In other words, if a business associate misbehaves in these circumstances and the covered entity takes the HHS-mandated steps, the end result is that patients’ medical records will have been made public without their consent, and HHS cannot do anything about it. These are supposed to be "privacy” regulations? Many other recipients of medical records under the HHS privacy regulations also are not covered entities. Law enforcement officials, courts, government administrative agencies, health-oversight organizations, even coroners: none fits the HHS definition of covered entities. Consequently, they, too, can redisclose medical records virtually at will, even though they initially obtained those records without patient permission under one of the exceptions discussed in the preceding section of this article. Feds Knew the Problem, but … During the approval process, HHS fully understood the problem, mentioning it many times in response to comments on the proposed rule, but plunged ahead anyway. It was a deliberate decision, with officials bluntly acknowledging that "HHS does not have the authority to regulate re-use or re-disclosure of information by agencies or institutions that are not covered entities under the rule”:
we [HHS officials] do not intend for the rule’s permissive approach to health oversight or the absence of specific documentation to permit the government to gather large amounts of protected health information for purposes unrelated to health oversight as defined in this rule, and we do not intend for these oversight provisions to serve as a "back door” for law enforcement access to protected health information. While we do not have the statutory authority to regulate law enforcement and oversight agencies’ re-use and re-disclosure of protected health information, we strongly support enactment of comprehensive privacy legislation that would govern public agencies’ re-use and re-disclosure of this information. (U.S. Dept. of HHS OPE 2000, 82674, 82689)[6] This approach resembles handing a neighbor’s child a loaded gun and then stating that you have no authority to control the child. It is good that HHS favors a more comprehensive privacy rule and that its officials do not intend for the government and others to accumulate vast databases of personal medical information about Americans, but even the best of intentions cannot stop the predictable results of this HHS action. In the name of medical privacy, the final HHS rule published Dec. 28, 2000, and put into effect on April 14, 2001, has given us coerced consent, wideranging exceptions that allow disclosure of medical records to diverse recipients without patients’ permission, extensive sharing of people’s medical records between government agencies, and virtually uncontrolled redisclosure of medical records by recipients — governmental and nongovernmental — that are not covered entities. Yet this very rule is said to protect us from the threat to our privacy posed by the nationwide standardization of our medical records mandated by Congress through HIPAA and now partially implemented by HHS regulation. How can we understand the vast discrepancy between the rhetoric and the reality of the HHS medical privacy rule?
Next: How Big Brother foists invasive regulations on the public.
Footnotes 6. Similar HHS statements with regard to the redisclosure of protected information are scattered throughout the record. See U.S. Dept. of HHS OPE 2000, 82672, 82681, 82682, 82683, 82687, 82688, and 82694.
This article is adapted with permission of the publisher from the article "Health and Human Services 'Privacy' Standards: The Coming Destruction of Medical Privacy," by Charlotte Twight, in The Independent Review: A Journal of Political Economy (Spring 2002, vol. VI, no. 4, p. 485-511). © Copyright 2002, The Independent Institute, 100 Swan Way, Oakland, Calif. 94621-1428; http://www.independent.org. Charlotte Twight is a professor of economics at Boise State University.
Read more on this subject in related Hot Topics:
A product that might interest you:
|
|
|||||||||||||||||
|
|||||||||||||||||||
|
| All Rights Reserved © 2012 NewsMax.Com |