It has been widely asserted, and most people believe, that the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of health information. Unfortunately, this is a myth. Just as the “P” in HIPAA does not stand for “privacy,” it turns out that the HIPAA Privacy Rule, which went into effect in 2002, actually eliminates privacy protection, and does so in a way that prevents privacy violations from being detected, monitored, or audited.
At this point, I’m sure you are quite skeptical — as you should be. After all, you’ve heard over and over that HIPAA protects your privacy. Furthermore, you’ve signed those long HIPAA forms at every doctor’s office, clinic, and hospital. You’re wondering “How can this be so?” I urge you to read on and find out the real story.
First, let me describe the basic provisions of the HIPAA Privacy Rule. It says that your health information cannot be disclosed without your consent with three exceptions:
These so-called “TPO” exceptions (named for the first letter of each) seem quite reasonable. After all, you want your medical information to be used for your treatment — that’s the primary purpose of having it recorded. You also want your information to be used to process your insurance claims — that’s why you have insurance (assuming you’re not one of the tens of millions who don’t have insurance — but that’s another subject). And you also want every health care organization to be able to perform routine operations, such as monitoring the quality of care that is provided. So what’s the problem?
The problem is this: Who decides whether a particular disclosure of your health information falls under the TPO exceptions, and can be done without your consent? It’s whoever has the information — the hospital, health plan, insurer, etc. And when they make that decision, they do NOT have to inform you that a decision is being made. You have NO input and NO right to appeal or review.
What’s even more disturbing is that once a decision is made to disclose your information under the TPO exceptions, THERE IS NO REQUIREMENT FOR ANY RECORD OF THE DISCLOSURE. That’s right — incredibly, disclosures of health information under the TPO exceptions do not need to be recorded. Therefore, you cannot find out who has received your health information if it was provided under a TPO exception (as determined solely by the holder of the information). So in addition to not having an opportunity to be involved in the decision about whether a given disclosure qualifies as TPO, you can’t find out afterwards if the organization is really following the TPO definitions appropriately or just disclosing your information to anyone they wish (and justifying it as falling under the TPO exceptions).
In foreign policy, President Reagan was famous for his “Trust but Verify” approach. In stark contrast, the HIPAA Privacy Rule is a “Trust but Keep no Records That Would Allow Verification” approach. While all of us hope that decisions about disclosing our health information are being made in a reasonable and equitable way, THERE IS NO WAY TO FIND OUT if this is indeed the case.
I want to make it clear that I am not accusing any health care organizations of disclosing private health information inappropriately. I believe, as I would guess you do, that the overwhelming majority of folks in the health care industry handle our information with the utmost care and integrity. But I also know that there are always some bad apples and that accountability and monitoring are absolutely necessary. HIPAA provides NO accountability — the lack of records of TPO disclosures means there is no way to know (even after the fact) if there are improper or illegal disclosures.
For those who may still be skeptical of my claim that no records are required for TPO disclosures, here is the actual text of the provision in the Code of Federal Regulations that says that you cannot get an accounting of TPO disclosures of “protected health information” (emphasis added):
TITLE 45, PART 164_SECURITY AND PRIVACY
Subpart E. Privacy of Individually Identifiable Health Information
Sec. 164.528 Accounting of disclosures of protected health information.
(a) Standard: Right to an accounting of disclosures of protected health information.
(1) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested, except for disclosures:
(i) To carry out treatment, payment and health care operations as provided in Sec. 164.506;
So the forms you’ve been signing in doctor’s offices, clinics, and hospitals, are not, as many believe, “consent forms.” They are your notification about the provisions of HIPAA — essentially, you are being notified that YOUR PRIVACY IS NOT ASSURED. And it doesn’t matter if you sign or not — the HIPAA provisions apply to you regardless.
Finally, why is this important? First, you should be able to control your health information in the same way that you have the right to decide what treatments you receive. Second, inappropriate disclosure of health information can hurt you by, for example, damaging your ability to get a job. Third, if we are going to covert our mostly paper medical records to electronic form, we need to do a better job protecting privacy because everyone knows that electronic records create more risks because they are more easily accessible.
Prior to the adoption of the HIPAA privacy rule in 2002, it was a long-established legal principle that you have the right to control all access to your own health records. As we make the transition to electronic health records with health record banks, we need to reinstate this important legal right.