hasting center the privacy rule that’s not

8/13/2019 HASTING CENTER The Privacy Rule Thats Not

1/11

40 H A S T I N G S C E N T E R R E P O RT July-August 2007

Most physicians, patients, policy analysts,and journalists believe that the HIPAAprivacy rule protects medical confiden-

tiality. They are mostly incorrect. The Health Insur-ance Portability and Accountability Act creates med-

ical records rules that tighten internal practices, likehiding computer screens and not talking in elevators,and these protections are an improvement over pre-vious practice, but they are limited.1 Perhaps becausethe enabling legislation called for a standard for pri-vacy of individually identifiable health informationand the original final rule in 2000 required patient

informational consent, there is a belief that the De-partment of Health and Human Services rules pro-vide strong privacy protections for medical informa-tion. Unfortunately, that belief is a misconception.2

In fact, the amended final HIPAA rule (for simplici-

ty, hereafter referred to as HIPAA, or the HIPAArule) provides much less privacy than the term pri-vacy rule suggests.

Rather than broadly protecting privacy, theamended HIPAA rule generally constitutes a disclo-sure regulation.3As first issued in August 2002,4 theHIPAA rule specified how health information maybe used and disclosed, and it only partly keeps med-ical records confidential. Effective in April 2003, thefederal government gave six hundred thousand cov-ered entitiessuch as health care plans, clearing-

HIPAA is often described as a privacy rule. It is not. In fact, HIPAA is a disclosure regulation, and it

has effectively dismantled the longstanding moral and legal tradition of patient confidentiality. By permittingbroad and easy dissemination of patients medical information, with no audit trails for most disclosures, it has

undermined both medical ethics and the effectiveness of medical care.

The Privacy Rule Thats Not

b y RI C H A R D S O B E L

T H E

H I P A A P A R A D O X

Richard Sobel, The HIPAA Paradox: The Privacy Rule Thats Not,Hastings Center Report37, no. 4 (2007): 40-50.


2/11

H A S T I N G S C E N T E R R E P O R T 41Jul y-Augus t 2007

houses, and health maintenance orga-nizationsregulatory permission touse or disclose protected health infor-mation for treatment, payment, andhealth care operations (known asTPO) without patient consent.5

Some of these routine purposes for

which disclosures are permitted are

far removed from treatment. In fact,covered entities and their businessassociates may share patients sensi-tive personal information for treat-ment, payment, and health care oper-ations without the patients knowl-edge, over their opposition, and even

if patients pay for treatment out of

pocket or request the right to beasked for consent to disclosure oftheir medical records.6

Particularly troubling is the gov-ernmental authorization for coveredentities to use patients confidentialhealth information without their

consent for health care operations

HIPAA Rules and Challenges: A Timeline

Health Insurance Portability and Accountability Act, Pub. L. 104-191, 110 Stat. 1936, August 21, 1996

especially Title II, Subtitle F (administrative simplification), Secs. 261-4;

42 USC Secs. 1320d-d8; 45 CFR Secs. 160-164, especially 164.506-512

Authority for privacy rule delegated to DHHS secretary August 21, 1999

Proposed original rule (without a consent requirement), 64 Federal Register 59,918 November 3, 1999

(Notice of Proposed Rule-Making and Order 1999)

Comment period November 3, 1999, to

January 3, 2000,

extended to

February 17, 2000

Original rule (final, with consent), 65Federal Register 82,462, 45 CFR 160, 164, esp. 506(a) December 28, 2000

Additional comment period, 66Federal Register 12,738 (Notice of Proposed February 28, 2001, to

Rule-Making and Order 2001) March 30, 2001

Original rule effective date (with consent), 66Federal Register 12,434 April 14, 2001

Proposed amended rule (without consent), 67Federal Register 14,776 March 27, 2002

(Notice of Proposed Rule-Making and Order 2002)

Additional comment period March 27, 2002, to

April 26, 2002

Amended rule (final, without consent), 67Federal Register 53,182, 45 CRF 160, 164 (2002) August 14, 2002

Amended privacy rule effective date, 67Federal Register 53,182 October 15, 2002

Compliance date (for large entities; small health plans given an additional year) April 14, 2003

(originallyFebruary 26, 2003)

Citizens for Health et al. v. Thompsonfiled April 10, 2003

District Court Decision, Judge Mary A. McLaughlin, Philadelphia, 03-2267 April 2, 2004

Appellate Court Decision, Citizens, 428 F. 3rd 167 October 31, 2005

U.S. Supreme Court cert. petition, Citizens, cert. denied, 127 S. Ct. 43 October 3, 2006


3/11


that are unrelated to payment ortreatment. Health care operations(HCO) include most administrativeand profit-generating activities, suchas auditing, data analyses for plansponsors, training of nonhealth careprofessionals, general administrative

activities, business planning and de-velopment, cost management, pay-ment methods improvement, premi-um rating, underwriting, and assetsalesall unrelated to direct patientcare.7 Health care operations also in-clude some marketing (which other-wise requires a signed authorization)and fundraising for the covered enti-ty.8 As distinguished from coretreatment and routine paymentpurposes, health care operations per-mit the legal disclosure of informa-

tion that could be inappropriatelyused for purposes that patients mightnot approve, and thereby may lead toconsequences patients might not like.

In addition, covered entities mayshare patient information with mil-lions of contracted business associ-ates without patients consent. Likecovered entities, their business associ-ates are supposed to keep patient in-formation confidential.9 But becauseamended HIPAA rules permit broad

uses under health care operations anddo not require an audit trail for rou-tine disclosures, there is no way tomonitor whether health informationis shared in ways inconsistent withcontractual requirements or patientswishes. Thus, if patients have prob-lems with employment or insurancebecause of unauthorized disclosure oftheir health information, the patientcannot trace the harm to a disclosureauthorized under health care opera-tions.

The Possible Harm

Confidentiality is at the heart ofthe doctor-patient relationship,and consent is an essential means bywhich patients can assure that infor-mation remains confidential.10 Thereis a great need for such assurance be-cause any problem that could arisewith health disclosures probably will.

As Ted Cooper of Kaiser Permanentenoted in 2000 when he recommend-ed that HIPAA be crafted from theperspective of how we would wantour familys health data handled,every permutation that can happenwill happen.11 According to health

attorney James Pyles, informationsuch as a name and diagnostic code. . . could be enough to derail yourprospects for a loan or a job. Youcould be charged higher loan rates orlose a job because of whats in yourmedical record . . . And it will be im-possible to prove it was because yourdata was shared . . . because there isno disclosure or audit trail underHIPAA.12 Because of the lack of limi-tations, potentially harmful informa-tion is likely to be shared in the

course of basic health care operations,and HIPAA actually facilitates thatsharing, without patient authoriza-tion, even if other laws might prohib-it the use of the information.

Pyless comments suggest two ex-amples of possible harm through rou-tine disclosures under HIPAA. Whensharing health information duringhealth care operations, HIPAA couldpermit an insurer to give data to abank it owns, which might then deny

someone a loan on the basis of thosedata.13 A cancer drug prescriptionfrom a pharmacy bought by a con-glomerate that owns a mortgage com-pany could provide the basis for de-ciding that a patient who may have aterminal illness is a bad lending risk,for example. While some laws protectagainst the disclosure of special kindsof information, such as HIV status,the lack of a HIPAA audit trail onroutine disclosures means thatHIPAA tends to undercut these re-

strictions.Health information transmittedunder HIPAA health care operationsrules might also affect job prospects.HIPAA prohibits covered entitiesfrom disclosing health informationfor job-related purposes unless an in-dividual signs an authorization. Butan employer is not considered a cov-ered entity unless it self-insures itshealth plan, so if the employer is not

self-insured, it is exempt from theserules. In addition, even in those casesin which the employer is subject tothese rules, the lack of audit recordsmeans the prohibition may not be en-forceable. For instance, despite theHIPAA requirement for a patients

written authorization before medicalrecords can be used for employmentpurposes, HIPAA lets self-insuredemployers receive employee healthdata for utilization review. Thus, aself-insured employer might legallyobtain information from a physicalexam on an employee without his orher authorization that reveals the em-ployee is diabetic. The employermight then deny that person a pro-motion to the head of food services.Or a corporation considering acquir-

ing a pharmacy group could viewmember records as part of due dili-gence, learn that one of its executivesuses an anxiety medication, and de-cide she is not a good candidate forchief financial officer. As businesseslearn that health information may beobtained legally through health careoperations provisions without askingfor authorization, the likelihood ofbreaches may increase.

A recent case in California shows

concretely how HIPAA rules maylead to insurance or job loss. ThroughHIPAA procedures permittingbutnot requiringthat therapy notes bekept separate, a Stanford hospitalsdisclosure of a patients psychiatricrecords contributed to her losing adisability complaint. Because HIPAAdoes not require that psychiatric notesbe maintained separately from othermedical records, the patients therapyinformation, scanned and electroni-cally stored in the hospitals computer

system with the rest of her medicalrecords, was released to the disabilityinsurer against the patients wishesand despite assurances by her psy-chotherapist that the notes were beingkept separately and would not be dis-closed without her consent. The re-leased information contributed to adenial of disability insurance benefitsfor an unrelated automobile accident,then to disability discrimination


4/11


when she returned to work, and even-tually to the loss of her job.14

Misconceptions aboutProtection

Medical ethics dating back to the

Hippocratic Oath require con-fidentiality, and the pre-HIPAA prac-tice was almost entirely to ask for pa-tient consent to discloseinformation.15 Further, some statelaws and professional codes of ethicsincorporated into state licensing lawsexplicitly require confidentiality andconsent to disclose. Nonetheless,many citizens are not currently soprotected. Most notices of privacypractices (also known as NPPs)theforms handed out at doctors offices

that are supposed to explain HIPAAsrulesare written as if only the feder-al requirements (or their deficiencies)apply to medical information. This isso even though HIPAAs rules requirethat they incorporate any more strin-gent standards that may be set out instate laws.16 As two physicians note,in effect the Hippocratic Oaththefoundation of medical ethics and themost important of all patientsrightshas been rescinded by federal

decree.17

Under HIPAA, physiciansneither need to nor are able to keeppatient information private. More-over, the absence of a requirement forobtaining patient consent indirectlylowers the observance of ethical andprofessional standards. Justice Bran-deis called the government the om-nipresent teacher for good or ill;18

the governmental lesson here is thatpatient privacy need not be legally orethically protected any more.

Ironically, providers misunder-

standing of HIPAA may generatemore privacy protection than thelaws actual provisions. The 2002American Medical Association bookon HIPAA says the rule requires aninitial consent to the providers use ordisclosure of PHI [personal health in-formation] for the purposes of treat-ment, payment and health care oper-ations. Although it mentions that aproposed modification would elimi-

nate the need for the initial con-sent,19 physicians who read this pas-sage when consent was still part of theoriginal final rule might not realizethat the requirement has beenamended away. Many physicians mayyet think mistakenly that HIPAA re-

quires patient consent for using infor-mation and thus request it of theirpatients.20 But consent is now option-al under the amended rule.

Similarly, administrators may be-lieve that a HIPAA requirement forsharing only the minimum necessaryinformation for insurance purposesmay be generalized to all purposes,including treatment. In fact, medical

providers are exempt from minimallytailoring treatment disclosures. Whilesome doctors may still offer or ask forconsent as they traditionally have

whether for ethical reasons or becausethey do not understand that it is nowoptionalmost HIPAA notices donot offer the patient a chance to giveconsent. As more providers, patients,and policy analysts recognize thatHIPAA now lacks a patient consentprovision, many will realize some-thing is seriously awry with the pri-vacy rule.

The notices of privacy practicesthat patients receive at initial clinicalencounters contribute to the confu-

sion. While the forms are supposed totell patients what rights they have(such as seeing their records) andwhat rights they lack (such as con-senting or withholding consent foruse and disclosure), the language iscomplex, and many patients (andproviders) misread the notices as con-sent forms. Patients are asked andsometimes required to sign the forms,just as they are with consent forms,

and this similarity of process may it-self confuse patients. But notices ofprivacy practices are not consentforms, and patients may or may notsign themin fact, whether patientssign them has no effect on what hap-pens to their medical information.21

Oddlyand disturbinglythey areone of the main features that theDHHS identifies as protecting priva-cy: the DHHS asserts that they havethis effect because they are supposedto encourage physicians and patientsto discuss informational privacy.

In fact, under HIPAA, patientscannot prevent their informationfrom being shared by refusing to pro-

vide their signatures or otherwise try-ing to withhold consent. At most, acovered entity will agree to a patientsrequest to be asked for his or her con-

sent. Up to 90 percent of providersoffered consent prior to HIPAA,22

and a few providers may still ask pa-tients for consent, but most providersdo not currently offer the option ontheir own for the few patients whomight request it. With so fewproviders offering them, patients can-not secure consent options by movingto another doctor.

Indeed, there are strong incentivesfor providers not to offer consent.Quite simply, it is easier not to.

Moreover, the license HIPAA gives tocovered entities with regulatory per-mission to use and disclose patientdata without consent is a strong en-couragement not to seek it. In addi-tion, providers who offer a consentoption incur legal liabilities of civiland criminal penalties if consent isthen not obtained or the privacypromise is violated.23 In an Orwellianreversal, not offering the consent op-

Ironically, providers misunderstanding ofHIPAA may generate more privacy

protection than the laws actual provisions.


5/11


tion creates no such obligation. Notrequiring providers to request consentmeans that those few patients whomight want to withhold it to protector negotiate for their privacy lack theright and leverage to do so.

Consent is essential to good med-

ical care because the opportunity tooffer or withhold consent providespatients with a sense of efficacy andthe basic elements of control in re-ceiving medical care. Commentatorssometimes dismiss consent as a use-less privacy protection. However, theproblem is typically not with consentper se, but with the way it is present-ed. If it is forced, or if it is a merelypro forma option, then it accomplish-es little. The challenge is to make theconsent decision and process an inte-

gral part of all treatment and infor-mational relationships.24

When patient consent was re-quired in the original final rule, cov-ered entities could refuse treatment,except in emergencies, to patientswho declined to sign a consent form.Now, if patients refuse to sign theprivacy notice, they can still gettreatment. However, some healthplans may mistakenly refuse to treatthose declining to sign,25 or they may

set up computer procedures that re-quire HIPAA acknowledgement be-fore being able to sign in. Althoughsigning the privacy notice is withoutlegal consequence, providers whomistakenly withhold treatment frompatients who do not sign it under-mine a major purpose of HIPAAnamely, to facilitate patient care.

Physicians Concerns aboutMedical Privacy

National surveys show that bothdoctors and patients questionHIPAAs benefits for medical privacy.Doctors, in particular, recognizeproblems with the HIPAA rule. Ac-cording to a survey conducted in2005 by Julia Slutsman and col-leagues, Most physicians . . . believethat the privacy rule does not im-prove the protection of confidentialhealth information.26 While most

physicians felt that some HIPAA pro-visions would somewhat or greatlyimprove privacy protections, themajority did not think either the no-tice provision (64.2 percent) or priva-cy officers (60.3 percent) would im-prove protection of health informa-

tion.27Although one quarter felt thata violation of medical records privacywas a very serious problem, lessthan a quarter (22.8 percent) agreedthat the privacy rule would help themmaintain the confidentiality of pa-tients medical records. In fact, near-ly half (45.4 percent) disagreed.

Two-thirds of physicians reportedthat written patient authorization fornonroutine uses of confidential pa-tient information (other than intreatment, payment, and health care

operations) will greatly or some-what improve privacy protection. Infact, the HIPAA requirements for awritten authorization for uses in mar-keting, employment, or insurancegive patients the control that the tra-ditional practice of requesting con-sent provides. The authors foundthese results contradictory. Mostphysicians believe that the privacyrule does not improve the protectionof confidential health information,

yet many feel specific requirementswill improve privacy protection.What is going on here?

Physicians perception that the pri-vacy rule will not greatly improve pri-vacy protections may stem partlyfrom a belief that their ethical andprofessional obligations, not regulato-ry mandates, assure patients privacyand confidentiality.28 Indeed, be-cause the final HIPAA rule wasamended in 2002 to remove patientsright to consent, only the ethical re-

sponsibilities of conscientious physi-cians and some state laws may keeppatient information confidential. Onthe other hand, physicians ethics willbe severely tested when they want topromise confidentiality, but their em-ployers, regulatory bodies, or insurersinsist on access to patients healthdata. In short, physicians can neitherreadily adhere to professional ethicsnor promise confidentiality to their

patients. More physicians will essen-tially have to offer not promises ofconfidentiality, but warnings, a laTarasoff or Miranda, that what pa-tients tell their doctors may be usedagainst them.29

Patients Concerns aboutMedical Privacy

How concerned are patients abouttheir medical privacy? And howmany have had their medical infor-mation accessed inappropriately andhave suffered because of it? Also, howmany people are so concerned aboutthreats to their medical privacy thatthey forgo medical treatment? As theSupreme Court noted inJaffe v. Red-mond, concern and suspicion about

the possibility of losing confidentiali-ty, especially for mental health care,can deter patients from sharing infor-mation with providersor even seek-ing care in the first placeas effec-tively as actual breaches. As morepeople become aware that they donot control their medical informationunder HIPAA, the number avoidingtreatment is likely to grow.

Public opinion surveys since the1990s have found high levels of con-

cern about medical privacy. In a 1993Harris poll, 85 percent believed pro-tecting the confidentiality of medicalrecords was either absolutely essen-tial or very important in any healthcare reform. In a 1994 Wirthlin sur-vey, 83 percent of the public held thatany provider, including a doctor,should need patient approval to sendto an outside organization any diag-nosis or treatment information. A2002 Johns Hopkins University studyfound that 85 percent of respondents

opposed employer access to geneticinformation.30 In short, the publicthinks their own physicians need pa-tient approval to use their medicalrecords, even for treatment.

A 1999 California HealthCareFoundation (CHCF) study foundthat one in seven patients (15 percentnationally) was taking at least one ofsix possible measures to hide informa-tion from their providers, including


6/11


going to different doctors or payingout of pocket.31 A 2005 follow-upthat asked only four of those six ques-tions found one in eight patients (13percent on average) were practicingprivacy-protective behaviors.32 If allsix questions had been repeated,

about 20 percent to 22 percent wouldhave indicated that they pursued pri-vacy protective behaviors.33 In short,the proportion acting on their con-cerns about the loss of medical priva-cy has grown significantly in half adecade.

The Magnitude of the Harm

While about one third of respon-dents (36 percent) in the 1999CHCF study were concerned that

health claims information provided toinsurers might be used by employersto limit job opportunities, the 2005percentage rose to over half (52 per-cent).34 The 1999 CHCF studyfound that 17 percent had experi-enced a breach of their health priva-cy6 percent by a hospital or clinic,and 6 percent by an employer. The2005 survey shows that one quarter ofrespondents (23.5 to 28 percent) areaware of . . . specific incidents where

the privacy of peoples personal infor-mation was compromised.The national CHCF surveys indi-

cate that about a tenth had their hos-pitals or employers share informationinappropriately. Some feel they havelost a job or insurance because ofthese breaches. These CHCF figuresprovide evidence that a significantnumber of patients are changing theirtreatment behavior because of con-cerns that their health privacy is notprotected. Though the DHHS Office

for Civil Rights has received twentythree thousand complaints about pri-vacy violations35including 5,648 injust the first year of its operation(2003-2004)most have been dis-missed for being outside HIPAArules.36

Privacy protections are needed be-cause confidentiality is essential forpatients to safely share their health in-formation with physicians who keep

medical records on an electronic sys-tem. As more patients (and doctors)discover that they have no right underthe HIPAA rules to give or withholdconsent in controlling their health in-formation, the proportion not provid-ing full medical details will increase. If

the problem gets bad enough thatphysicians are forced to diagnosewithout full patient information andto practice more defensive medicine,then medical mistakes and health carecosts will rise. Physicians who sharepatients concern about privacy mayalso omit information from patientrecords. Further, physicians may feeldriven to substitute costly diagnostictesting to identify information thatpatients would freely share if they felt

their privacy would be protected.There are few clearer examples of theinformation processing clich,garbage in, garbage out, than anelectronic health system that is basedon incomplete or censored patientdata.

Problems Doctors Face

Physicians have increasing difficul-ty maintaining patient confiden-tiality under the HIPAA rules. Three

non-HIPAA cases point to the prob-lems that patients and providers facewhen health information is not pro-tected by patients right to consentunder state or national law. In 1999,Dr. Sheila Horn was fired after refus-ing to share confidential patient infor-mation with her employer, The NewYork Times Company, even thoughher state medical society indicated shehad an ethical obligation to her pa-

tients not to do so. A New York ap-pellate court decided in her favor thatshe was required to follow medicalethics of confidentiality, but the StateSupreme Court ruled that as an em-ployee she could still be fired at will.(The New York Times Company had

said she was released after a restruc-turing of its medical department.)37

Another case of compromised con-fidentiality concerns Harold Eist, apsychiatrist in Maryland, whose con-fidential patient records have been re-peatedly demanded by the MarylandState Board of Physicians in responseto a third-party complaint despite theadamant opposition of the patient, apeer review that found the third-partyallegations against Dr. Eist without

merit, and four court decisions sup-porting Dr. Eists position in defenseof medical privacy.38 The board stillmaintains that it can compel Dr. Eistto disclose the patients entire medicalrecord and that Dr. Eist should bepunished for his lack of speedy coop-eration.

Even Dr. Daniel Shragers success-ful protection of patient privacy re-veals the pressures on physicians toshare confidential patient data.39 Inthis situation, Magellan Behavioral

Health threatened to remove Shragerfrom its provider panel if he did notturn over confidential psychiatric pa-tient data. Shrager won, althoughHIPAA rules permit sharing patientinformation with oversight and panel-ing agencies that demand medicalrecords. At the very least, the caseshows that physicians careers and pa-tients health secrets are increasingly at

A 1999 study found that one in seven patients

was taking measures to hide information from

their providers, including going to different

doctors or paying out of pocket.


7/11


risk, and that defending them is cost-ly.

Moreover, the official evaluationsof the HIPAA rule miss the threatsthat providers, patients, and theirrecords face. For example, a Govern-ment Accountability Office report in

2004 concluded that implementationof the privacy rule has not hinderedthe provision of health care.40Also in2004, the DHHS Office for CivilRights found that, of three thousandcomplaints about privacy violationlodged under HIPAA, only 259 werevalid, and it levied no fines. Morethan a third (35.3 percent) of thecomplaints alleged violations that theOffice for Civil Rights held were notprohibited by the Privacy Rule, suchas lack of a consent provision for use

of confidential information.In fact, in addition to the DHHS

Office of Civil Rights finding that thedenial of patient consent is not an ap-propriate criterion for complaints, theDepartment of Justice ruled that em-ployees who violate the privacy ruledo not implicate the covered entity ifthe individuals are not acting in offi-cial capacities. For instance, in 2004,a Seattle hospital employee who stolepatient information to obtain fraudu-

lent credit cards and goods was sen-tenced to sixteen months in prison.The Justice Department, however,ruled that criminal penalties onlyapply to insurers, doctors, hospitalsand other providersbut not neces-sarily their employees or outsiderswho steal personal health data.41 Inshort, the law does not necessarilycover the misdeeds of people whowork for a covered entity because onlycovered entities themselves can beprosecuted under HIPAA.

Both the GAO report and the Jus-tice Department interpretations ig-nore the numerous complaints aboutthe lack of consent in the HIPAA reg-ulations. In a medical catch-22,breaches of confidentiality from lackof consent are not breaches ofHIPAA, and hence are not violations.The traditional confidentiality of doc-tors and patients relationships nowsurvives mostly on the strength of

ethical norms and misperceptionsabout the law. The reality is thatphysicians cannot promise confiden-tiality, and patients are unable to con-sent or withhold permission for use oftheir confidential health information.Nor can patients complain effectively

when they discover that their wishesare ignored. Patients most importantconcernsabout having some say inthe use of their recordsare neitherpart of the HIPAA rules nor subjectto investigation by the Office for CivilRights. In effect, HIPAA functions asa Trojan horse in breaching the edificeof medical confidentiality: it erodesethics and lulls doctors and patientsinto thinking they have privacy pro-tections.

Actual protections are increasingly

limited, as this comment from anAmerican Hospital Associationspokesman revealed: our nationalhealthcare system can no longer be-guile itself with the myth that qualitycare involves only one doctor and onepatient alone in a room where confes-sions are made and promises are kept.. . . A visit to a physician may be thepoint of entry into the system for agiven episode of illness, but it con-torts the process and potentially un-

dermines the quality of care to pre-tend that an institution can be re-duced to a personification of the se-cret-protecting family doctor.42 Sim-ilarly, the Justice Department wrotein a 2004 brief: there is no federalcommon law protecting physician-patient privilege, and in modernmedical practice, [I]ndividuals nolonger possess a reasonable expecta-tion that their histories will remaincompletely confidential.43 If there isany hope to be found, it is that this

detrimental state of affairs will givepatients, doctors, and policy-makersan impetus to push for improvementin privacy protections.

On the one hand, patients mayrefuse to disclose important but em-barrassing information because theirproviders cannot guarantee privacy.On the other hand, physicians mayhave to require more tests, or play catand mouse with patients to get more

information. Some providers maysimply ask less and instead try to fig-ure out histories and diagnoses by in-ference.44 Providers may also omit ormislabel information in patientsrecords.

The ethics and effectiveness of

medical care are at risk. As physiciansand patients learn that they are losingtheir autonomy, their control overtheir relationship, and the confiden-tiality of their most private informa-tion, ethical and practical dilemmaswill abound. The tensions in theSlutsman study findings reflect physi-cians recognition that HIPAA doesnot protect patient privacy; indeed, itweakens their ability to maintain con-fidence and respect professionalnorms.45

As Ascher et al. noted, the purposeof patient informational consent isthe same as the purpose behind in-formed consent for treatment: toshow respect for patient autonomy byinforming the patient of the risks andbenefits, and allowing the patient tomake informed decisions about therisks and benefits of sharing health in-formation.46 Although some statesprovide more stringent laws that pre-empt HIPAA, the federal privacy

rule incentives not to offer patientconsent undermine traditional ethicaland legal protections.

Even HIPAA Protections CouldBe Diluted

One rationale for passage ofHIPAA was that enacting a sin-gle, common rule for respecting theprivacy of medical records would fos-ter administrative simplification (45CFR 160-164) and promote the

computerization of health informa-tion. In actuality, HIPAAs lack of pri-vacy protections undermines these ef-ficiency goals, since if patients decidenot to disclose potentially detrimentalinformation, health care costs willrise. The transition to electronic med-ical records will not be successful un-less respect for medical privacy is as-sured. Yet recent Bush administrationcalls to reduce health costs by pro-


8/11


moting electronic medical records stilloverlook this reality.47

Although electronic record-keep-ing can be valuable in preventing er-rors and computer systems can bemade more secure by setting up mul-tiple levels of access and permission,

computers also make privacy breachesmuch easier and significantly moreconsequential. For instance, it is easi-erappropriately or notto sendentire medical records at the click of amouse than to copy and mail a largepaper record. Computerization alsoallows sensitive information to be sentto numerous destinations as easily asto any one.

In addition, some groups are lob-bying to turn what is called theHIPAA floor of minimal protec-

tions into a ceilingsetting themaximum standardsby removingpatient consent requirements fromstricter state laws, including those in-corporating professional codes ofethics and conduct.48 The proposedalternative would replace the stateprotections with provisions that facil-itate interoperable sharing of healthdata without consent.49

For instance, the Health Informa-tion Technology Promotion Act of

2006 (H.R. 4157), a bill concerningelectronic medical records that is sup-ported by the health care industry,lacks any consent provisions. Earlierversions proposed that the DHHSsecretary be authorized to removeHIPAAs preemption of more strin-gent state privacy laws, but that pro-posal has been modified. H.R. 4157also authorizes a National Coordina-tor for Health Information Technolo-gy to set up a health surveillancedatabank system. The House of Rep-

resentatives passed the bill in July2006.In the Senate, the proposed Wired

for Health Care Quality Act (S. 1418)provides for the development of stan-dards for a national, interoperableelectronic medical records system.But, like its House counterpart, itdoes not recognize or preserve theright to health information privacy,

nor does it include a provision for pa-tient consent.

In short, even more than HIPAA,H.R. 4157 and S. 1418 would createa system in which, at the behest ofcovered entities, patients andproviders would have virtually no

health information privacy rights, andphysicians would be even less able toguarantee patient privacy or to adhereto the principles of medical ethics en-suring confidentiality.

What Can Be Done?

Conscientious and cost-consciouslegislators and administratorsneed to recognize that the price ofproviding privacy protections is acomparatively small part of the health

care systems overall costs and is less

than the expense generated by the pri-vacy protective behavior to which pa-tients resort when they feel their pri-vacy is threatened. In particular, ob-serving the ethical principle of patientconsent to disclosure would be rela-tively inexpensive and cost effective.The American Hospital Associationhas estimated that only $101 millionof the $22.5 billion cost of complyingwith HIPAA over five years50was at-

tributable to asking privacy consent,as required by the original final rule.51

In short, for less than one-half percentof HIPAAs costs, the right to consentcould have been preserved,52 so restor-ing the consent provisions to theHIPAA process and forms would becost effective.

Besides adding a consent provi-sion, three other changes would im-

prove HIPAA. First, the DHHSes-pecially its Office for Civil Rightsand state governments should requirethat notices of privacy practices incor-porate more stringent state laws onconfidentiality and consent into theirtexts and protections. Second, the

DHHS and its Office for Civil Rightsshould enforce HIPAAs provisions,including those requiring that stateconfidentiality laws be incorporatedinto notices of privacy practices. Cur-rently, violations of HIPAA have nonegative consequences.53 Third, audittrails (especially under health careoperations) should be incorporatedinto HIPAA rules for uses and disclo-sures so that breaches can be traced.

A constitutional challenge in Citi-zens for Health et al. v. Leavitt sought

to have the omission of patient con-

sent from the amended HIPAA ruledeclared unconstitutional. The suitargued for recognizing protection ofhealth privacy and patient consent tobe fundamental constitutional rights,as identified in the Supreme CourtsFerguson v. City of Charleston decision,which stated, the reasonable expecta-tion of privacy enjoyed by the typicalpatient undergoing diagnostic tests ina hospital is that the results of those

tests will not be shared with nonmed-ical personnel without her consent.54

Citizens asked the Court to find theHIPAA rule in violation of medicalprivacy under the Fifth Amendmentright to liberty and First Amendmentright to private communications byholding that HIPAA impinges onhealth privacy as a constitutionalright. The suits twenty plaintiffs

Observing the ethical principle of patient

consent to disclosure, as required by the

original final rule, would be relatively

inexpensive and cost effective.


9/11

sought reinstatement of the originalfinal version of the rule, which re-quired that patients be asked for theirconsent. The challenge has so farbeen unsuccessful.55

There are other fronts, however.Congress should incorporate a pa-

tient consent provision into any legis-lation on electronic health informa-tion. Citizens can contact Congressto insist on the inclusion of privacyprotections and consent provisions inbills like H.R. 4157 and S. 1418.56

The mediaespecially the medicaland national pressshould illumi-nate the significance of confidentiali-ty and consent and educate the pub-lic and leaders about the detrimentalconsequences of the current privacyrule. Powerful medical groups like

the American Medical Association57

and the American Psychological As-sociation, acting as advocates in Con-gress and amici curiae in the Courts,should insist that confidentiality andconsent be restored to HIPAA, bothfor ethical and for practical reasons.

In short, professional ethics, re-sponsibilities, and goals mandate thatmedical providers and organizationssupport restoring patient informa-tional consent to the HIPAA rules

and electronic medical records laws.The courts and legislatures shouldalso support patient privacy by re-quiring that HIPAA and electronicmedical records bills incorporate thefundamental principles of medicalconfidentiality and patient consentinto their provisions. These laws andrulings will benefit both the well-being of individual Americans andthe health of the body politic by sus-taining the fundamental rights toconfidentiality and consent that un-

dergird quality medical care.

Acknowledgments

Earlier versions of this article werepresented for the Fellowship in the Di-vision of Medical Ethics, Departmentof Social Medicine, Harvard MedicalSchool, and at the Seminar of the Pro-gram in Psychiatry and the Law, De-partment of Psychiatry, Beth IsraelDeaconess Medical Center, Harvard

Medical School. I would like to thankcolleagues in the fellowship in medicalethics at Harvard Medical School, par-ticularly Mildred Solomon, RickBlanks, Mary Cerreto, Stacey Ellender,

Amy Farber, Stephen ONeill, andFrank Wharam, and in the Program inPsychiatry and the Law, particularlyThomas Gutheil, Archie Brodsky,Harold Bursztajn, Michael Commons,Eric Drogin, Marc Hauser, DonaldMeyer, Barry Roth, Graham Sprueill,Mitzi White, and Gary Zalkin, as wellas Eric Benson, David Byrom, HeidiKuehl, Adam Speegle, John Metz, OleNorheim, James Pyles, Nancy Sobel,Sarah Wald, and anonymous reviewersfor comments, research, and sugges-tions on earlier versions of this article.

Disclosure

The author and the Program in Psy-chiatry and the Law at Harvard Med-ical School were amici in Citizens forHealth et al. v. Leavitt in the Third Cir-cuit appeal and Supreme Court peti-tion for writ of certiorari (www.pi-patl.org/amicus.php).

References

1. The Health Insurance Portability andAccountability Act (Public Law 104-191)sets out standards for the portability ofhealth insurance. Administrative simplifica-tion, Section 164, includes the require-ments for standards on medical informa-tionthe so-called privacy rule.

2. See P. Appelbaum et al., False Hopesand Best Data: Consent to Research andthe Therapeutic Misconception, HastingsCenter Report27, no. 2 (1987): 20-24. TheHIPAA misconception may be therapeu-tic in the sense that patients and providersmistakenly think HIPAA provides for priva-cy as part of the doctor-patient relationship.

3. R. Sobel, No Privacy for All? SeriousFailings in the HHS Medical Records Reg-ulations, Journal of Biolaw and Business5,no. 2 (2002): 45-48; R. Sobel, Maintain-ing Informed Consent for Doctor-PatientConfidentiality: More Serious Failings inthe HHS Medical Records Regulations,

Journal of Biolaw and Business 6, no. 2(2003): 61-65; Citizens for Health et al. v.Leavitt, 3rd Circuit, 428 F.3rd 167, Octo-ber 31, 2005.

4. Public Law 104-191, known as theKennedy-Kassebaum Bill. U.S. Depart-ment of Health and Human Services,Standards for Individually Identifiable

Health Information, 45 CFR 160-164,April 14, 2001; October 15, 2002.

5. 64 Federal Register53,211, August 14,2002, sec. 164.506a.

6. While patients may request the rightto consent before the use or disclosure oftheir medical information (45 CFR, para.164.552[a]), institutions do not have to

agree to give the patient the opportunity toconsent, and many have blanket policies re-fusing to do so, or refusing treatment unlessthe patient consents. The original final rulethat included a consent provision was ap-proved in 2000, but was amended in Au-gust 2002 to drop the consent requirement.

7. Sec. 164.501, 506. The AmericanMedical Association has long argued againstusing the broad definition of health care op-erations. See G. Aston, Pushed by a Loom-ing Legislative Deadline, AMA Delegates

Adopted New Policy on Patient Confiden-tiality Issues Tied to Participation in Med-ical Research,American Medical News, July

12, 1999.8. The definition of marketing, which re-

quires written patient authorization (equiv-alent to traditional consent), was narrowedto exclude forms of promotion such asthird-party solicitations and face-to-facecommunication, which therefore nolonger require authorization. Contactingof health care providers and patients withinformation about treatment alternatives isalso considered to be part of health care op-erations, and therefore does not require au-thorization. Some educational communica-tions during health encounters, whichcould be considered marketing and hence

require authorization, are defined instead aspart of treatment. Fundraising under healthcare operations may use demographic infor-mation and dates of health care without pa-tient consent (but with an opt-out provi-sion afterwards) for outside organizationsraising money for the benefit of the cov-ered entity (164.501).

9. HIPAA creates rules for confidentiali-ty (limitations of the range of records shar-ing), not privacy (patients control of infor-mation).

10. For a discussion of the essential na-ture of confidentiality and consent for qual-ity medical care, see the amicus briefs in

Citizens and Althaus v. Cohen of the Pro-gram in Psychiatry and the Law at HarvardMedical School, www.pipatl.org/amicus.php.

11. M. Doscher, HIPAA: A Short andLong Term Perspective on Health Care(Chicago, Ill.: American Medical Associa-tion Press, 2002), 90.

12. Eyes on Your Records, ConsumerReports, March 2005, http://www.con-sumerreports.org/cro/health-fitness/health-care/electronic-medical-records-306/eyes-on-your-record/index.htm; see also The



10/11

New Threat to Your Medical Privacy, Con-sumer Reports, March 2006: 39 and 42. Ananonymous reviewer of this paper indicatedthat HIPAA should not be held responsiblefor the violation of its provision. But by cre-ating paths that permit misuse of informa-tion without audit trails, along with DHHSlack of enforcement and penalties, HIPAAitself arguably contributes to the likelihoodthat the information will be improperlyused.

13. Ibid.

14. Galvin v. Stanford Hospitals and Clin-ics, California Superior Court Case No. 1-04-CV-024690, filed August 9, 2004. SeeMotion for Summary Judgment to Plain-tiffs Second Amended Complaint, August3, 2005; see also T. Francis, Spread ofRecords Stirs Patient Fears Of Privacy Ero-sion, Wall Street Journal, December 26,2006.

15. See also the Program in Psychiatryand the Law amicus brief, http://www.pi-

patl.org/amicus.php, for discussion of theconflict between HIPAA and the Nurem-berg principle that the voluntary consentof the human subject is absolutely essen-tial. See Directive for Human Experimen-tation, Nuremburg Code, http://ohsr.od.nih.gov/guidelines/nuremberg.html. Somefind HIPAA constitutes an unconsented ex-periment about the effects on patient careof unconsented disclosure of confidentialmedical information (see H. Bursztajn and

A. Brodsky, Captive Patients, CaptiveDoctors: Clinical Dilemmas and Interven-tion in Caring for Patients in ManagedHealth Care, General Hospital Psychiatry

21 [1999]: 239-48). For pre-HIPAA prac-tice concerning patient consent, see 65CFR 82771. For further details, see note 22below.

16. 45 CFR 164.520(b)(1)(ii)(C) re-quires incorporating more stringent stateprivacy protections into notices of privacypractices.

17. B.K. Herman and D. Peel, HIPAAsReal Effect: The End of Medical Privacy. ANew Dilemma for Physician Executives,The Physician Executive, January/February(2004): 37.

18. Olmstead v. United States, 277 U.S.438, 469 (1928) (Brandeis, J., dissenting).

19. Doscher, HIPAA: A Short and LongTerm Perspective on Health Care, 78. See E.Redden, Fuzzy Understandings ofFERPA, June 14, 2007 at http://www.uh.edu/ednews/2007/insidehe/200706/20070614ferpa.html, on how confusionabout the provisions of HIPAA and FERPA(Family Educational Rights and Privacy

Act) protect privacy.

20. According to HIPAA Section 264c,the DHHS secretary shall promulgate finalregulations containing such standardsnamely, standards that set forth the privacy

rights individuals should have with respectto their identifiable health information andthe procedures for exercising them. Theoriginal final rule (December 28, 2000) in-cluded the following consent requirement:(1) Except as provided . . . a covered healthcare provider must obtain the individualsconsent . . . prior to using or disclosing pro-tected health information to carry out treat-ment, payment, or health care operations.However, the similarly numbered section ofthe amended rule (October 15, 2002)changed this to, The consent provisions insection 164.506 are replaced with a newprovision at section 164.506(a) that pro-vides regulatory permission for covered en-tities to use or disclose protected health in-formation for treatment, payment, andhealth care operations.

21. The complaint in Citizens includedtwenty-five affidavits and hundreds of pri-vacy notices issued on or after April 14,2003, showing that Citizens sensitivehealth information was being disclosed bycovered entities without notice or consent,and over their objections. Beginning April14, 2003, under the amended rule, virtual-ly all covered entities switched from theirpractice of obtaining consent for routineuses and disclosures to the unauthorized useand disclosure of health information as a re-sult of regulatory permission in the Amend-ed Rule. See affidavits of Deborah Peel andothers; Joint Appendix to District CourtCase, 238-40, 312-14, 1476-85.

22. 65 Federal Register 82,771. Prior toHIPAA, the DHHS estimated that mostnon-hospital providers and virtually all hos-pitals follow this practice [of obtainingsome consent for use and disclosure of indi-vidually identifiable health information].The DHHS assumed that 90% of thenon-hospital providers and all hospitals cur-rently obtain some consent. Yet [w]efound among the plaintiffs in the Citizenssuit that very few covered entities of anykind were obtaining consent for disclosuresfor treatment, payment, and health care op-erations after April 14, 2003. All [plain-tiffs] requests for a consent process (restric-tions) were denied and large insurers likeKaiser Permanente were found to be deny-ing all such requests. Personal communica-tion from James Pyles, November 13, 2006.

See also the affidavits cited in note 17.23. Doscher, HIPAA: A Short and Long

Term Perspective on Health Care, 12-13.

24. Although consent may at times beconsidered pro forma or granted underpressure if providers are required to seek itfrom patients, coerced consent is a contra-diction in terms; it must be informed andvoluntary to be meaningfully granted.

25. One patient who attempted to sub-stitute a consent request on a HIPAA notice

was denied treatment. T. Francis, Setting

the Records Straight, Wall Street Journal,October 21, 2006. Another wrote in anemail response to the Francis article thatEvery hospital and doctor I asked to notshare my records refused. One hospitalagreed to protect the records only after Ithreatened to sue under Illinois Statutesafter I learned that they had shared myrecord. Personal communication to T.Francis, October 23, 2006.

26. J. Slutsman et al., Health Informa-tion, the HIPAA Rule, and Health Care:

What Do Physicians Think? Health Affairs24, no. 3 (2005): 832-42.

27. Ibid., Exhibit 3, 838.

28. Ibid., 837.

29. Tarasoff v. Regents of the University ofCalifornia(17 Cal. 3d 425 [1976]). See alsoLamb warnings in R. Barnum et al., Pa-tient Warnings in Court-Ordered Evalua-tions of Children and Families, Bulletin ofthe American Academy of Psychiatry and Law15, no. 3 (1987): 283-300. See also Sobel,

Maintaining Informed Consent.30. Louis Harris & Associates, July 26,

1993, national telephone survey; WirthlinGroup, June 22, 1994, national telephonesurvey; Princeton Survey Research for theGenetics and Public Policy Research Centerat Johns Hopkins University, October 15,2002, national telephone survey.

31. California HealthCare Foundation,Medical Privacy and Confidentiality Sur-vey, 1999; http://www.chcf.org/topics/view.cfm?itemID=12500. The July 26,1993, Harris Survey for Equifax found that25 percent of respondents or family mem-bers had paid for a medical test, treatment

or counseling rather than submit a bill orclaim under a health plan or program. The1999 and 2005 CHCF surveys found 5percent of individuals had paid for a med-ical test because they did not want an em-ployer or others to gain access to the med-ical information.

32. California HealthCare Foundation,National Consumer Health Privacy Survey2005, 2005, 19; http://www.chcf.org/top-ics/view.cfm?itemID=115694.

33. Comparisons of the 1999 and 2005CHCF surveys found that the proportiontrying to hide medical information rosefrom 15 to over 20 percent. The 1999 sur-

vey found 3 percent nationally had asked adoctor not to write down a medical prob-lem in their record or had gone to anotherdoctor to avoid telling their regular doctorabout a health condition, and in 2005, bothfigures grew to 5 percent. The 1999 figureof 15 percent engaging in privacy protect-ing behavior was based on six questions; the2005 figure on only four of them. Statisticalextrapolations (available from the author)estimate a comparable figure for 2005 at 20to 22 percent. In short, the proportion en-gaging in privacy protecting behavior rose



11/11

by over one-third in six years. How muchHIPAAs lack of privacy protections con-tributed to the rise can be estimated in alater study.

34. See D. Linowes, Many CompaniesFail to Protect Confidential EmployeeData, University of Illinois Survey Re-search Lab, Fall 1995, http://www.epic.org/

privacy/workplace/linowesPR.html. One-third of employers in the survey acknowl-edge using health information for employ-ment decisions.

35. Francis, Setting the RecordsStraight.

36. U.S. Government AccountabilityOffice, Health Information: First-Year Ex-periences under the Federal Privacy Rule,report to the chairman, Committee onHealth, Education, Labor, and Pensions,U.S. Senate, GAO-04-965, September 3,2004.

37. Horn v. New York Times, No. 20,2003 NY LEXIS 221, Ct. App. February

25, 2003.38. Harold Eist v. Maryland State Board of

Physician Quality Assurance (Civil Case No.240300, Cir. Ct. Montgomery County;No. 00329, Court of Special Appeals ofMaryland) and 29 Brief of Amicus Curiae,including the Program in Psychiatry andthe Law, October 20, 2006, in support ofEists position. The estranged husband of adivorcing mother and children in therapy

with Eist filed a complaint about the thera-py with the Maryland Board, which de-manded the family records.

39. Daniel S. Shrager, M.D., v. MagellanBehavioral Health, Highmark Blue Cross and

Blue Shield and Green Spring Health Ser-vices, Allegheny County (Pa.) CommonPleas Court, Civil Division (C.D. PA, GD00 015809). In deciding that a healthplan wrongly terminated a psychiatrist whorefused to turn over complete patientrecords as part of a quality improvement as-sessment, the courts affirmative answer re-inforces the importance of the physician-patient relationship.

40. U.S. Government AccountabilityOffice, Health Information. The reportexplains, Nearly two-thirds of the privacycomplaints closed during the rules first yearof operation fell outside the scope or time

frame of the rule. This included the 35.4percent of closed privacy complaints thatinvolved alleged actions by providers, healthplans, or other entities that OCR [Office ofCivil Rights] determined would not consti-tute violations of the regulation even if true.In other words, they concerned actions to

which the patient might object, but thatwere not prohibited by the Privacy Rule (p.22, cf. Table 1).

41. R. Pear, Ruling Limits Prosecutionof People Who Violate Law on Privacy of

Medical Records, New York Times, June 7,2005.

42. R. Pyles, Brave New World, TheAmerican Psychoanalyst39, no. 3 (2005):31-32, at 31.

43. T. Sloane, Its Private When TheySay So, Modern Healthcare, February 23,2004, 22. Department of Justice brief,

Opposition to Northwesterns Motion toQuash Subpoena, National Abortion Feder-ation et al. v. Ashcroft, No. 04 C 0055(N.D. III).

44. See Program in Psychiatry and theLaw amicus brief to Supreme Court cert.petition in Citizens on the costs from theabsence of confidentiality and consent, pp.10-11.

45. In addition, misunderstanding ofHIPAA, which permits public health dis-closures, may reduce the reporting of infec-tion diseases; M. Wolf and C.L. Bennett,Local Perspective of the Impact of theHIPAA Privacy Rule on Research, Cancer

106, no. 2 (2006): 474-79. Also, the re-quirement for authorizations for researchmay reduce research study participation; D.

Armstrong, Potential Impact of theHIPAA Privacy Rule on Data Collection ina Registry of Patients with Acute CoronarySyndrome, Archives of Internal Medicine165 (2005): 1125-29.

46. J. Ascher, D. Body, and M. Leppert,HIPAA Privacy: HIPAA Standards for Pri-vacy of Individually Identifiable Health In-formation: An Introduction to the ConsentDebate, Journal of Health Law35, no. 3(2002): 387; for a similar point, see theHealth Privacy Project, Comments on

Proposed Modification to Federal Stan-dards for Privacy of Individually Identifi-able Health Information, April 26, 2002,1; http://www.healthprivacy.org/usr_doc/NPRM_HPPComments.pdf.

47. M. Clyne, President to Push Med-ical Record Computerization, BaltimoreSun, January 6, 2006.

48. See comments of the Health CareLeadership Council at the meeting of theU.S. House Ways and Means Subcommit-tee on Health, March 29, 2003.

49. See information on the DHHS con-tract with Research Triangle Institute (RTI)to identify barriers to interoperability of

electronic medical records; http://www.ma-healthdata.org/forums/hispc/index.html.

50. Doscher, HIPAA: A Short and LongTerm Perspective on Health Care, 79.

51. The DHHS noted (65 Federal Regis-ter82,771) that for providers that current-ly obtain written consent, there is only anominal cost for changing the language onthe document [to ask consent]. For this ac-tivity we assumed $0.05 cost per documentfor revising existing consent documents.

52. Doscher, HIPAA: A Short and LongTerm Perspective on Health Care, 79. The ad-ditional health care and other expenses cre-ated when 20 percent of patients feel re-quired to pursue privacy-protecting behav-ior likely exceed the cost of consent ($101million) by a great deal. Research is neededto establish the magnitude of the costs.

53. I draw here upon the policy sugges-tions of colleagues at the Program in Psy-chiatry and the Law, particularly MichaelCommons and Barry Roth.

54. Ferguson v. City of Charleston, 532 US67, 78 (2001). See also Gruenke v. Seip, 225F.3rd 290 (34d Cir. 2000) and Sterling v.Borough of Minersville, 232 F.3rd 190, (3rdCir. 2000).

55. See the Program in Psychiatry andthe Law amicus brief in Citizens, available athttp://www.pipatl.org/amicus.php. The dis-trict (03-02267) and appeals courts (04-2550) ruled against the plaintiffs largely onstate action grounds: private entities are

denying the right to medical privacy, andcourts cannot force private actors to respectconstitutional protections. The plaintiffs in-stead maintain that granting private entitiesthe license of regulatory permission to usepatient medical records without their con-sent constituted governmental action, asdid levying fines for offering consent butnot seeking it or violating confidentiality.The Supreme Court (05-1311, 127 S. Ct.43) denied the petition for a writ certiorarito review the case on October 3, 2006. Theplaintiffs are considering further legislativeand litigation strategies.

56. Concerned patients and providers

can contact the U.S. Senate Committee onHealth, Education, Labor and Pensions andthe House Committee on Energy andCommerce to urge them to include privacyand consent provisions in S. 1418 and H.R.4157.

57. See American Medical AssociationEthical Force Program, The Domain ofHealth Care Information Privacy: Protect-ing Identifiable Health Care InformationalPrivacy: A Consensus Report on EightContent Areas for Performance MeasureDevelopment, December 2000; www.ama-ssn.org/ama/pub/category/7726.html.The Ethical Force Program states: When-

ever feasible, health information trusteesshould obtain valid informed consent fromindividuals for the collection, storage, or useof personally identifiable health informa-tion (p. 15). See S. Lohr, Doctors JournalSays Computing Is No Panacea, New YorkTimes, March 9, 2005. The AMA has, how-ever, supported electronic medical recordsystems that underplay privacy and consentissues; see materials available at www.ama-assn.org/ama/pub/category/16195.html.


hasting center the privacy rule that’s not

Documents