Patient privacy is a right long advocated by the American Medical Association (AMA).
Establishing federal privacy protections is a worthwhile endeavor. Yet, consensus on the details has proven to be extremely difficult. The inability of Congress to pass privacy legislation after years of debate, the 52,000 comments received by HHS in response to its proposed rule, and the size of the 1535-page final regulation, underscores the complexity of this issue.
The AMA considers patient autonomy to be a fundamental element of medical ethics.
Yet, the final rule does not give patients full control over the use or disclosure of their protected health information. This is due mainly to the widespread belief that personally identifiable health information should be available for a vast array of seemingly compelling purposes without explicit patient consent. The AMA has consistently maintained that a declared “need” for health information does not necessarily confer a right.
The final rule is an improvement over the proposed rule, but it does not go far enough to protect patients. The AMA expressed numerous concerns in response to the proposed rule. HHS addressed some of these issues in the final rule, but other serious issues remain:
- The rule does not apply to many users of health information, such as employers, life insurers, law enforcement, and others because the scope of HIPAA is too limited. Patient privacy and confidentiality will not fully be protected until Congress acts to extend HIPAA requirements to these entities.
- Health information may still be used without patient consent by health plans for broad categories of purposes beyond direct claims payment.
- A court order is not required before law enforcement may obtain health information without patient authorization.
- Marketing communications may be sent to patients without their consent.
- Self-funded “group health plans” with less than 50 participants do not need to restrict employer access to employee health information because of the narrow definition in HIPAA.
The final rule includes other problematic provisions:
- The final rule unreasonably holds physicians responsible for noncompliance by their business associates who are not covered by the rule.
- Administrative burdens and costs have not been adequately calculated, and would likely have a disproportionate impact on small physician offices. The estimated cost of $4,000 for small physician offices to comply with the rule is absurdly low. The rule mandates policies, procedures, and training programs for protecting patient information that will require physicians to restructure their practices, possibly hiring new staff. Violations of the rule will result in significant fines—even imprisonment. This seems sorely ironic given that physicians already utilize practices and procedures to maintain the confidentiality of patient information as a result of their ethical duty to protect the physician-patient relationship. Consequently, for many physicians the substantial costs of compliance may not be commensurate with any significant improvements in patient privacy.
To adequately protect patient privacy Congress must extend privacy requirements to entities not covered by HIPAA, and HHS must strengthen certain provisions of the final rule. In addition, physicians should be granted an extension of time to comply with the final rule, thus reducing the budgetary impact by spreading costs over a longer time period.