TO:Interested Persons FROM:Ron Weich, ACLU Legislative Consultant RE: Medical Records PrivacyDATE: March 7, 2001
A recent decision by the Bush Administration threatens to delay or weaken long-sought medical privacy protections in federal law. The ACLU supports the strongest possible medical confidentiality rules and opposes industry-led efforts to reduce patient privacy.
CURRENT STATUS OF PRIVACY PROTECTIONS
In the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Congress recognized that federal medical privacy protections are vital in an age of electronic record keeping. At that time, Congress gave itself a three year deadline to enact a medical privacy statute, and said that if a law were not enacted by August 21, 1999, the U.S. Department of Health and Human Services must establish privacy protections by regulation.
Despite vigorous lobbying by the ACLU and other groups, Congress failed to meet its self-imposed deadline and HHS began the process of writing regulations. On November 3, 1999, HHS published a proposed privacy rule (64 Fed. Reg. 59918). After receiving many comments from the public, HHS published a final regulation to protect the confidentiality of individually identifiable health information on December 28, 2000 (65 Fed. Reg. 82462).
Soon after former Wisconsin Governor Tommy Thompson became Secretary of Health and Human Services in the new Bush Administration, he signaled a review of the medical privacy regulations. On February 28, 2001, Thompson announced that the effective date of the rule would be delayed until April 14 and during this period of delay, HHS would seek additional public comments on the final rule (66 Fed. Reg. 12738). The delay until April 14 was unavoidable due to the failure of the previous Administration to submit the regulation to Congress last December as required. But the new period of public comment is not mandatory, and we fear that it means Thompson intends to delay or weaken the regulation, as many industry groups have requested.
Under HIPAA, health care entities are not required to comply with the privacy regulation until 24 months after the rule becomes effective. So there are two ways HHS can weaken privacy protections: First, it can delay the effective date of the regulation beyond April 14. Second, it can use the comments it receives from industry groups during the new 30 day comment period to modify the rule after it becomes effective but before compliance is required. The ACLU will fight either effort to diminish patient privacy.
ACLU VIEWS ON MEDICAL PRIVACY REGULATION
The ACLU believes that the regulation published last December by the Clinton Administration, while not perfect, represents a major advance in the struggle for medical privacy.
The most important aspect of the rule is that it establishes in federal law for the first time the principle that medical information may not be disclosed without the consent of the patient. There are exceptions to this principle, some of which are drafted too broadly. But there are no comprehensive privacy protections in federal law now, so the regulation creates an important baseline of protection. Because stronger state laws are not preempted by the regulation, states can go further to protect patients from unauthorized disclosures of health information.
Moreover, the final rule incorporates many of the ACLU's recommendations to improve the proposed rule published in November 1999. For example:
- The final regulation requires patient consent, even for purposes of payment, treatment and health care operations. The proposed regulation permitted providers to disclose health information without patient consent for these core functions.
- The final regulation deletes a catch-all privacy exception when health information is compiled for use in government data systems.
- The final regulation makes clear that minors may maintain the privacy of their own health information in a variety of circumstances in which law and long-established practice protect their right to obtain medical services on their own.
- The final regulation protects the privacy of deceased individuals in perpetuity. The proposed regulation only protected privacy for two years after a patient's death.
The proposed regulations contained overbroad exceptions for the disclosure of medical records in civil litigation and for health oversight activities. These exceptions are narrowed in the final regulation.
The scope of the final regulation is broad, covering most paper records and oral communications if they will eventually be reduced to electronic form. The proposed regulation largely covered only electronic records.
At the same time, the final regulation still contains significant flaws, including the following:
- The final regulations do not meaningfully limit law enforcement access to medical records. Police officers may obtain records without approval of a neutral magistrate and they need not provide notice to the individual whose records are sought. An overbroad "identification exception" in the proposed regulation would enable the police to obtain medical records any time they seek to identify a suspect. The final regulation narrows this exception cosmetically, but does not close this glaring loophole to privacy.
- The final regulation contains a new provision permitting health care providers to solicit their patients for marketing and fundraising purposes. While this is ostensibly a "one-time" exception to privacy, marketing will continue unless the patient opts out of future solicitations, a burdensome and unwarranted requirement.
- Due to deficiencies in the 1996 law authorizing the regulation, the new privacy protections do not authorize a private right of action or other serious enforcement mechanism. HHS may impose civil fines on those who violate the regulation, but for many providers these penalties will lack deterrent effect. Also, the statute limits the types of entities covered by the new rules.
ACLU STRATEGY TO PROTECT AND STRENGTHEN MEDICAL PRIVACY
The ACLU will seek to strengthen federal medical privacy on three parallel tracks:
- First, we will submit detailed comments to HHS strongly opposing any effort to further delay or reopen the final medical privacy regulation published last year. The American people have been waiting too long for the federal government to protect medical privacy rules. While the final rule is not perfect, it creates a strong baseline of protections and we support it going into effect on April 14.
- Second, in our submission to HHS, we will say that if the rule is reopened notwithstanding our opposition, we believe the privacy protections in the rule should be strengthened, not weakened. Specifically, we will urge that the provisions related to law enforcement access and marketing be revised to eliminate unnecessary exceptions to the principle that health information may not be disclosed without the consent of the patient.
- Third, the ACLU will lobby Congress to block any weakening of the regulation by HHS and to enact statutory changes to improve the regulation. Notably, the ACLU will urge Congress to limit unauthorized health marketing, require law enforcement officers to obtain a warrant or a court order before obtaining medical records, and establish a private right of action to enforce privacy protections.