The privacy balancing act

HHS' attempt to strike a balance between patient privacy and administrative simplification seems to have missed both targets.

Editorial. March 20, 2000.

When Congress enacted the Health Insurance Portability and Accountability Act in 1996, it gave itself a deadline for developing guidelines governing the privacy of patient information for electronically transmitted medical data -- a critical concern in this digital age. Perhaps not surprisingly, Congress failed to meet that deadline; so, under terms of the legislation, the task went to the secretary of Health and Human Services.

Late last year, HHS submitted proposed regulations that it said attempted to strike a balance between patient privacy and administrative simplification. Unfortunately, it appears to have missed both targets.

In correspondence with HHS and in testimony before Congress -- the latter may well roust itself to intervene -- the American Medical Association has pointed out significant shortcomings in the proposed regulations.

Several key areas pose particular concerns, including:

A patient's confidential information could be disclosed without his or her consent for a broad array of purposes not related to his or her individual treatment or payment, and extending far beyond any disclosures or uses that the patient might expect when seeking care.
The proposed regulations would not hold accountable many of the holders of the information who might misuse it, despite the regulations' attempt to compel physicians and other covered entities to exercise oversight.
A physician might be held liable for the uncontrollable misdeeds of "business partners," although the physician was in compliance with the regulations.
There has been no substantive calculation of the administrative burden and costs of implementing the regulations, although it is apparent that physicians -- particularly those in solo practice or small groups -- would bear a disproportionate amount of the cost.
Finally, the 1996 legislation was enacted with the goal of simplifying health care administration and reducing costs; the regulations fail to accomplish this and, at the same time, do not offer patients improved expectations for privacy protection.

The growing need to protect the privacy of patients is a direct side effect of the advances in technology that facilitate the exchange of vast amounts of information.

Patient information is used by various entities in the health care delivery system, including hospitals and health plans, for purposes far removed from patient care. The financial services reforms legislation enacted last year that allows closer business collaboration among insurance companies, banks and securities firms heightens concerns about potential information on individuals' health status.

Patient information, in the aggregate, serves many valuable purposes. However, many entities mistakenly believe that personally identifiable health information should be available for a variety of seemingly compelling purposes without the patient's explicit consent. These entities cite a "need" for such patient information -- a philosophy reflected in the HHS regulations and one the AMA vigorously rejects.

The AMA has long adhered to the principle that any health care legislation or regulation should first consider the interests of the patient. The regulations proposed by HHS fall far short of this target. If patient privacy is to be protected, any entity seeking access to patients' confidential medical information should be required to pass a stringent test to demonstrate why its need for the information overrides the basic rights of the patient. Further, the public deserves a full, open discussion of who is seeking their medical information and how it might be used.

Although informed consent clearly is not practical in some cases, those situations should be dealt with in one of two ways: either the identifying information should be stripped from it, or an objective and publicly accountable entity should conclude -- after weighing the risks and benefits -- that patient confidentiality is not required. Such an approach would provide a reasonable balance between the interests at stake.