Your Medical Privacy
By Jennifer Van Bergen
t r u t h o u t | Report
Monday 19 May 2003
All across America, medical providers and pharmacists are requesting clients sign a form that acknowledges the client has read the provider s privacy policies. Most providers claim they continue to protect your privacy. Do they?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes a set of national standards for the protection of certain health information. According to the United States Department of Health and Human Services (HHS), the Privacy Rule promulgated as part of HIPAA, provides patients with access to their medical records and more control over how their personal health information is used and disclosed. HHS states that the new standards represent a uniform, federal floor of privacy protections for consumers across the country. The Privacy Rule does not preempt any state law that requires more privacy. It merely provides a bottom-line standard.
This is a good idea. However, unfortunately, the HIPAA Privacy Rule does not really protect your privacy very much at all. While doctors, medical facilities, and pharmacies might really intend to protect your records from unwanted intrusions, there are numerous exemptions which allow disclosure <i>without your authorization</i>. For example, covered entities may use and disclose protected health information without individual authorization as <i>required by law</i> (including statute, regulation, or court orders). More specifically, covered entities may disclose protected health information to law enforcement officials for law enforcement purposes related to certain kinds of criminal investigations. This makes some sense. Furthermore, criminal investigations must adhere to strict constitutional standards, such as probable cause to obtain a warrant, and so on.
Yet, there are other exemptions that show the lie behind the notion of privacy protection in the HIPAA Privacy Rule. For example, your supposedly protected health information is subject to disclosure without your authorization for research or for essential government functions. Research may include any systematic investigation designed to develop or contribute to generalizable knowledge. Essential government functions may include assuring proper execution of a military missions [and] conducting intelligence and national security activities. Even determining eligibility for or conducting enrollment in certain government benefit programs creates an exemption.
Thus, within the HIPAA Privacy Rule, the exemptions are numerous and broad enough to create concern. Of at least equal concern is the fact that under HIPAA, medical providers are incorrectly informing their patients (and having them put their signatures to it) that the privacy of their health records is protected. When someone comes along who challenges that assertion, the Good Samaritan is viewed with suspicion. In the current climate and under current laws which already threaten many civil liberties, this creates even greater cause for concern.
Finally, it is not commonly known that your medical records are subject to the same provision of the USA PATRIOT Act that requires libraries to give federal law enforcement your computer usage and book borrowing information upon request without telling you. Section 215 of the PATRIOT Act does not just apply to libraries. It applies to any records kept by a third party, including medical records. Thus, if federal law enforcement requested your medical records, your doctor would have to provide them and would not be able to tell you. HIPAA protection is utterly without teeth in this circumstance.
The problem with the PATRIOT Act s intrusion into your medical records is that those records can be obtained by any FBI agent without probable cause that you are involved in any criminal activity at all. The agent need only certify that he seeks the records for a foreign intelligence investigation and the judge must rubber stamp the request.
What all this comes down to is that your medical privacy is not protected, despite HIPAA s good intentions. The ACLU is considering how best to inform medical providers about the PATRIOT Act s effect on medical privacy. At the very least, every medical office and pharmacy should post a notice like those posted in libraries that inform clients that under the PATRIOT Act, the medical provider would have to divulge your private medical records if federal law enforcement asked.
What can you do? Tell your doctors about Section 215 of the PATRIOT Act. Bring them a print-out from one of the links below. Ask them to post a notice to their patients.