A tougher medical privacy law

Times Staff Writer

A South Carolina company suspended an employee for refusing to divulge her medical records. A New York congresswoman’s medical records revealing a suicide attempt and treatment for depression were leaked to the media on the eve of an election. A public health worker in Tampa, Fla., sent the names of 4,000 people who were HIV-positive to two newspapers.

All these breaches of medical ethics occurred in the last few years. Beginning today, such actions not only will violate ethical guidelines, they also will be illegal.

A broad new federal medical privacy law takes effect today, culminating a decade-long drive to overhaul the way doctors, pharmacists, hospitals, health care providers and others handle patient information. The law -- known as the Health Insurance Portability and Accountability Act -- creates for the first time a national standard for medical privacy, giving patients greater control over their health records.

The law’s most dramatic change will be to significantly strengthen the recourse that patients have when their medical privacy is violated. Until now, a patient who felt wronged could only file a civil lawsuit, seeking financial penalties. The new law allows patients to file complaints to the Department of Health and Human Services, which can then pursue criminal penalties, including a $250,000 fine and 10 years in prison for the most serious offenses.


The new regulations, which fill a 443-page government document, have provoked confusion, fear and a rash of rumors, from the serious to the silly. Can a doctor be slapped with a big fine for talking about a patient in an elevator? (No.) Can a nurse be jailed for leaving a medical file drawer unlocked? (Again, no.)

“There really have been a number of lies about HIPAA: That you’re going to make a mistake and go to jail, that kind of thing,” said Steven Fleisher, a consultant who is working with the California Medical Assn., a Sacramento-based physician organization, on implementing the rules. “You have doctors sitting around hospital lounges telling each other these fairy tales.”

For all its undeniable sweep, the law seems to be barely registering with most Americans. But among doctors, pharmacists, hospital and health insurers the changes already are being felt deeply -- and sometimes painfully.


Additional expense

For months, health care providers have been scrambling to meet today’s deadline amid a lot of complaints about all the additional expense and work required to comply with the rules.

There’s little doubt implementation will be expensive, although just how much and who finally will pay for it seems unclear. One government study put the cost of nationwide compliance at $18 billion, while another, from the American Hospital Assn., a trade group representing more than 1,000 hospitals, pegged the cost at closer to $22 billion.

To be sure, many patients may welcome rules that promise to better protect confidential medical information. A recent survey, for example, found that two out of three Americans don’t believe health plans or government programs maintain medical confidentiality all or most of the time.


Aware that others have been denied either insurance coverage or employment because of a previous health condition, some patients have gone to great lengths to maintain their privacy. Some privacy rights groups estimate that about 10% of patients -- even those with medical insurance -- pay medical bills out of pocket rather than submit insurance forms because of privacy concerns. Others may switch doctors often or delay seeking medical care for similar reasons.

Although many privacy advocates welcomed the law, some said the new rules didn’t go far enough in closing privacy loopholes. “It’s a modest first step,” said Janlori Goldman, director of Georgetown University’s Health Privacy Project.

For most patients, the changes will occur largely behind the scenes. One change that will be noticeable is that patients visiting the doctor, pharmacy or hospital will be required to read and sign a six-page document detailing their new rights. Those rights, for example, will prohibit health care providers and plans from disclosing identifiable health information to employers.

Among other changes: Patients no longer will have to list the “reason for visit” when signing in at a doctor’s office -- information that previously might have been seen by other patients. Also, pharmacists are urged to be more discreet and they are specifically prohibited from calling out a patient’s name and prescription.


Out of public view, however, it’s been a mad scramble to prepare for the law’s deadline. In large health organizations, such as Oakland-based Kaiser Permanente, millions of dollars are being spent to upgrade computers, train staff and hire consultants. The mood has been likened to the furor several years ago over the so-called Y2K computer bug.

For small medical practices, the demands of meeting requirements have created more than a few hassles and added costs. David Campisi, an internist in San Pedro, has had to devote hundreds of hours of extra staff time to understand and satisfy the new law. He asked the office’s janitorial service to sign a confidentiality agreement promising to protect patient information. And patient charts were moved to a different location, out of sight of office visitors.

There is widespread skepticism among health policy experts that the government will devote adequate resources to enforcing the new rules. The Department of Health and Human Services Office for Civil Rights plans to assign only about 100 agents nationwide to follow up on complaints, though government officials say more agents may be added if the volume of complaints is higher than anticipated.

“There’s going to be very little enforcement because you really have to show that someone intentionally violated the law in order to go jail or to have any kind of strong penalties,” said Goldman. “I’m not very optimistic.”


Government officials acknowledge that they will rely mostly on voluntary compliance. “We aren’t going to have the privacy police out there checking up on everyone,” said Bill Pierce, a department spokesman.


Effects in California

In California, already known for some of the toughest privacy laws in the nation, the law may have less effect than in the many states that have virtually none. The federal regulations, for instance, will enable patients in more than a dozen states to see their medical records for the first time; Californians already have this right, though many are not aware of it.


Privacy advocates say the law is not a cure-all for securing medical information. A glaring weakness, they say, is that it does not allow individual patients to sue. Under the law, patients must file a written complaint either on paper or electronically within 180 days of the incident, and the government will decide whether to pursue a case. (More information about how to file a complaint is available at

In hopes of prodding the government to enforce the new privacy laws vigorously, the Health Privacy Project announced last week that it will be monitoring privacy complaints. The organization posted a model complaint form on its Web site (

Another sore point, privacy advocates argue, is that the law still allows the sharing of some medical information for marketing purposes. The original law, drafted under the Clinton administration, was much more restrictive of such practices, but those rules have been softened by the Bush administration.

Thus, although doctors and pharmacies are banned from selling patient names and health care information to a drug company, a doctor or pharmacist is allowed to be paid to solicit a drug sale. In effect, a pharmacist could become “a middle man” for the drug company -- although any sales attempts must identify who provided them with your information.


“It’s really just a paid ad from the drug company,” Goldman said. “This is one we’re really fighting.”



Fact and fiction


During the last few months, rumors have been circulating about the new federal medical privacy law. Here are a few of them:

* A patient’s name no longer can be called out in a waiting room. (Not true. However, sign-in sheets no longer should ask for the reason for the visit.)

* Doctors no longer can send e-mails to patients. (Not true. E-mails between doctor and patient are acceptable as long as the messages are encrypted and sent on a secure computer network.)

* Hospitals will need to eliminate semi-private rooms. (Not true. Doctors should exercise discretion when talking to a patient who shares a room with another, but hospitals do not need to eliminate shared rooms.)


* Workplace supervisors no longer will be able to tell their staffs that another employee is out sick. They can only identify them as absent, without further explanation. (Not true. This is an extreme interpretation of HIPAA rules that does not apply in the majority of cases.)

* Hospitals will withhold patient information from family members. (Not true. Medical information would be withheld from family only if the patient had requested that this be done.)

Source: Health Privacy Project, Department of Health and Human Services’ Office for Civil Rights



Rights guaranteed under HIPAA

* Health care plans and providers must explain new rights to patients.

* Patients must be given access to their medical records upon request and have the right to correct mistakes.

* Health care providers and plans are barred from disclosing medical information that could identify an individual to employers.


* Patients can request that hospitals not provide their name and health status to outside parties, including the media.

* Health plans are not allowed to view medical notes from a patient’s psychotherapist without the patient’s permission. Previously, health care plans could access such notes to justify further mental health treatment.

Source: The Health Privacy Project