Safeguards for Patients’ Privacy Could Actually Backfire

Doctor groups and privacy advocates have charged that new government rules, touted as protecting patients’ confidentiality, will instead make it easier for employers, researchers, law-enforcement officials, the federal government and others to gain access to people’s medical records without their consent.

The Department of Health and Human Services is reviewing some 53,000 public comments on the proposed regulations, which were announced last fall and are expected to be issued in final form in the next few months.

The rules, mandated by Congress, represent the first federal effort to safeguard the privacy of medical records. When President Clinton unveiled them last fall, he said that “they would greatly limit the release of private health information without consent.”

But by eliminating the requirement for patient consent in many situations, the rules would have the opposite effect, predicted Richard Sobel, a political scientist at Harvard Medical School.

The administration “stressed the privacy protections,” Sobel said. “But . . . it turns out that these regulations essentially abolish informed consent” if a patient’s medical records are being used for providing treatment, arranging payment or for “health-care operations,” an ill-defined term that covers many activities of managed-care plans and health insurers.

In addition, under some circumstances, the rules would permit health providers to release private medical information without obtaining a patient’s consent to police, employers, researchers and government data banks.

*

The tug-of-war over medical records has intensified in the last decade, as computers have allowed health-care providers, insurers and others to store vast quantities of information and to search and transfer it rapidly. A 1996 law required Health and Human Services to issue rules protecting privacy of medical records transmitted via computers if Congress didn’t pass legislation on medical privacy within a specified period. Last year, Congress missed the deadline, triggering the rule-making process.

Administration officials and many members of Congress consider the new rules a stopgap measure and believe a comprehensive medical privacy law is sorely needed. For example, the proposed rules would apply only to medical records sent by computer--not to those solely on paper, nor to records typed on a word processor or sent by fax but never transmitted via computer network.

“That’s why this is silly,” an administration official said. “We should cover health information and not worry about what type of electron is assisting” in its recording.

At least five bills on medical privacy have been introduced in Congress this session, but none is making much headway. The issue has provoked heated lobbying by competing interests--including doctors, hospitals, insurers, privacy advocates, drug companies, large employers, the medical research community, the data-management industry and antiabortion groups.

“This is a messy, complicated issue,” said Zoe Hudson, a senior policy analyst at Georgetown University’s Health Privacy Project. It “has a lot of tentacles.”

Both fans and critics of the new regulations acknowledge that they would establish certain new rights for patients, including the right to see and amend one’s medical record. They also would require doctors, hospitals and health plans to provide notice of how they intend to use patients’ medical information and to keep track of what is disclosed.

The rules also attempt to make managed-care plans and health insurers responsible for monitoring the practices of the many outside contractors who routinely see and handle the patients’ medical records. Such contractors include companies that manage pharmacy benefits, conduct quality-assurance audits and profile doctors’ behavior.

*

Much of the debate focuses on provisions that would authorize doctors and health plans to release information from medical records for various purposes without notifying patients or obtaining their consent. Such purposes could include “disease management” programs (efforts by health plans to closely monitor patients with chronic illnesses) as well as institutionally approved research studies, law-enforcement investigations and government data banks.

Institutions that do research--including medical schools and drug companies--often need to use medical records for studies, and they oppose provisions in the rules that might hinder access to such information. Drug companies depend on doctors, hospitals and health plans to help them test new treatments and monitor drug safety. The rules provide for criminal and civil penalties if patient information is improperly released.

“Some of those provisions, we think, will have a very chilling effect on the willingness of folks we depend on for access to information,” an industry spokesman said.

Administration officials said the new rules attempt to balance privacy concerns with the legitimate information needs of health plans, public health departments, researchers and others.

“We considered requiring a separate individual authorization for every use or disclosure of information but rejected such an approach because it would not be realistic in an increasingly integrated health-care system,” states the preamble to the proposed rules.

But some doctor groups maintain that permission should always be required before releasing medical information traceable to individual patients.

“Nobody should have the right to your private information without your consent at the time,” said William G. Plested III, a California surgeon and trustee of the American Medical Assn.

Many state laws require patient consent, and such systems “actually work pretty well,” said Paul S. Appelbaum, chairman of psychiatry at the University of Massachusetts and vice president of the American Psychiatric Assn.

“Only in exceptional circumstances will [patients] say no--and those are the particular situations in which you would want them to have permission to say no,” Appelbaum said.

Under the new rules, psychotherapy notes would be specifically protected from disclosure. But when records are requested for the purposes of treatment, payment or “health-care operations,” doctors would have to hand over other psychiatric information, such as diagnoses and records of drug treatment, without a patient’s consent, Appelbaum said.

Many comments on the proposed rules are from health-care consumers expressing displeasure at the prospect of expanded access to their medical records. An administration official said thousands of such sentiments were received as e-mail messages from customers of Working Assets, a San Francisco-based telephone and Internet service provider that encourages users to send e-mail as part of “citizen action” initiatives on various issues.

Seventy Health and Human Services employees are working to summarize comments dealing with more than 100 separate issues discussed in the rules, the official said.

“Everything that we proposed was open for comment,” he said. “Anything could change.”