• Health reform
• EMRs
• Medicare
• Liability
• AMA House
• » More

• Contract Language
• Ethics Forum
• In the Courts
• Practice Management
• Technically Speaking
• » More

• Issue dates
• Regions
• Health plans
• Sections
• News briefs
• Columns
• Editorials
• Letters
• Series
• Writers
• Other years

• Search tips
• Email alert
• RSS
• Mobile
• Subscribe
• Institutions
• Staff directory
• Advertising
• Permissions
• Reprints
• News media
• Site guide
• Useful links
• About
• Premium
• Contact

• AMA Wire
• CPT
• DMPHP
• JAMA
• JAMA&Archives
• news@JAMA
• Virtual Mentor
• Physician jobs

Weak spots noted in health privacy rules

Provisions on patient consent and drug company marketing come up short, some say.

By Joyce Frieden, amednews correspondent. Feb. 26, 2001.

• PRINT|
• E-MAIL|
• RESPOND|
• REPRINTS|
• SHARE
•  

Washington -- Anyone hoping that the new federal health privacy rules will make it easy for patients to opt out of drug company mass marketing efforts should think again, according to testimony at a recent Senate hearing on the regulation.

"There is a provision where someone could request, up front, not to have this information at all," said Leslie Aronovitz, director of program administration and integrity issues at the General Accounting Office's health care division. Aronovitz testified at the Feb. 8 Senate Health, Education, Labor, and Pensions Committee privacy hearing. "But it's very difficult to do, it's not well known, and in fact, there are questions as to whether it would actually work."

Aronovitz was responding to a question from Sen. Hillary Rodham Clinton (D, N.Y.) about whether the regulation's authors could have better protected people from unwanted advertising pitches. Clinton was talking not about television or print ads aimed at the general public, but about marketing materials that companies send to specific patients based on information about their individual diagnosis or treatment. "The idea of mass mailing [that kind of] information or telemarketing information remains troubling to a lot of people," she said.

The regulation states that companies may send marketing materials to patients as long as they explain how patients can opt out of future mailings. But that isn't good enough, said Donald Palmisano, MD, a member of the AMA Board of Trustees.

"Don't give those companies the first free shot at learning about patients' information and sending them one ad," he said. "Once you've breached confidentiality, you've breached it."

The privacy regulation, which implements part of the 1996 Health Insurance Portability and Accountability Act, sets out rules for the release of patient medical information by health plans, doctors, hospitals and other health care providers.

It outlines the circumstances under which third parties, such as employers, life insurers, health researchers and law enforcement officials, may have access to the information. In most cases, the regulation requires providers to obtain written consent from patients before releasing their health care information to third parties.

The rule was issued by the Dept. of Health and Human Services in December 2000, after Congress failed to pass a health privacy law on its own. It was originally supposed to apply only to electronic transactions, but HHS determined that it also could apply to written and oral communication.

One part of the regulation that has generated much discussion is its handling of informed consent. In its proposed rule, HHS said providers did not have to obtain patients' consent to use medical records for "treatment, payment and health care operations."

But the agency changed its mind, and in the final regulation, it requires that "health care providers who have a direct treatment relationship with their patients" obtain consent to disclose information for those purposes.

"Providing and obtaining consent clearly has meaning for patients and practitioners," the authors said in the rule. "Many health care practitioners and their representatives argued that seeking a patient's consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship."

But AMA officials say most providers already obtain consent. "More important, physicians are ethically obligated to maintain the confidentiality of the patient-physician relationship," the Association said in a preliminary analysis of the new rules. "Therefore, this new requirement for health care providers adds very little in the way of patient protections."

The regulation does not require health plans to obtain patients' consent at the time of enrollment for their medical records to be used by the insurance company. "It is unclear how a consent obtained at the enrollment stage would be meaningfully communicated to the many providers who create the health information," the authors wrote.

And, they said, such a "blanket consent" would conflict with patients' ability to talk to their providers about which records they don't want disclosed. "To the extent a consent can accomplish the goal sought by individuals and providers, it must be focused on the direct interaction between an individual and provider."

The AMA said exempting health plans from the consent requirement is "troublesome." The result would be that plans would not be required to seek consent for a range of activities that fall under the realm of health care operations, including quality improvement, health professional competency reviews, case management, and licensing and credentialing.

Too quick a time line

Another point of controversy is the regulation's time line. It is to take effect Feb. 26, although most health care organizations will have two years to comply. Small health care firms will have an extra year. But several witnesses testified that two years was not enough time to implement the rule.

"The rule is operationally infeasible, extremely costly and threatens quality improvement efforts across the health care system," said Robert Heird, senior vice president at Anthem Blue Cross and Blue Shield, a multistate insurer based in Indianapolis. "We urge HHS to reconsider."

Sen. Pat Roberts (R, Kan.), whose state includes many small hospitals, expressed similar sentiments. "I don't know how we're going to comply with this," he said. "We all support the goals behind this regulation, but these hospitals are struggling just to keep their doors open."

The AMA would like physicians and others to have two years to implement the regulation, but it wants the two years to start after all the other HIPAA rules have been released, Dr. Palmisano said. "We don't want to start putting things in place and suddenly have additional regulations come out. It's like building a house; the most expensive part is when you have to change something that's already been planned."

Supporters of the new rule argue that delaying its implementation would only hinder patient care. "We believe the regulation should go forward," said Janlori Goldman, director of the Health Privacy Project at Georgetown University, Washington, D.C. "We don't think it's as vague and complicated as some people would like to hold out."

Cost was another issue raised at the hearing. HHS estimated that the privacy rules would cost about $17 billion over 10 years to implement but said that figure would be more than offset by $30 billion in savings generated by other HIPAA provisions.

But John Houston, information system division director for the University of Pittsburgh Medical Center, said he believed that HHS had "seriously underestimated" the cost.

Back to top