Patient-privacy rule's effects are still being debated

By Virginia A. Smith and Dawn Fallik
March 15, 2005

Howard Miller's office is primed for privacy. The computers
have plastic shields to ward off prying eyes. The patient
files are coded by number, not name.  The files hanging
outside the examining rooms face inward to hide names
and ages.

But sometimes Miller, a Philadelphia internist, thinks
privacy protections have gone too far.

"I have this one huge Italian extended family I've been
treating for years," he said. "One of them got sick, and
they were all calling to ask questions. And I couldn't say
anything to them because they weren't on the list of
contacts the patient had approved."

That's the only way Miller can comply with the patient-
privacy rule of the federal Health Insurance Portability
and Accountability Act of 1996, better known as HIPAA.
The law profoundly changed how doctors talk to and about
patients, as well as how patients themselves negotiate
the health-care system.

But two years after the privacy rule took effect, there is
still widespread confusion about who can give what medical
information to whom and grumbling about bureaucracy and
weak enforcement. There is an even deeper debate: does
the law protect or undermine patient privacy?

The Clinton administration required a patient's written
permission to release confidential information for "routine
purposes," such as treatment and payment.

The Bush administration made consent optional. Now,
patients simply sign a basic "notice of privacy practices."

In April, U.S. District Judge Mary A. McLaughlin in
Philadelphia ruled that the new provisions did not violate
patient privacy and that the government had no legal
responsibility to "act affirmatively to protect such
rights." Federal officials also said it would be too
cumbersome to get consent every time an insurance
company or medical specialist needed patient data.

Deborah Peel, for one, was appalled by the ruling.

"You can have your information disclosed for 'routine
purposes' with no consent, no notice, no recourse. Excuse
us, you have just eliminated a fundamental constitutional
right," said Peel, a psychiatrist in Austin, Texas, and a
plaintiff in the case with Citizens for Health, a patient
advocacy group, and others.

Without a privacy guarantee, patients might withhold crucial
information from doctors, fearing it could be used against
them by bosses, banks and others.

"The joke is that soon you're going to call Domino's pizza
and they're going to know that they can't send the extra
cheese because you've got high cholesterol," said plaintiff
Janis G. Chester, who teaches psychiatry at Thomas Jefferson
University.

The federal Health Insurance Portability and Accountability
Act, which grew out of President Clinton's failed effort to
revamp health care, was designed to reduce fraud and prevent
people from losing insurance when they leave jobs. But the
privacy rule soon became the most talked-about part of the
law.

It required written consent to release test results,
diagnoses and other information to doctors, dentists,
hospitals, HMOs, group health plans, insurance companies,
billing companies and others. The rule also gave patients
access to their records and the right to find out when and
to whom they have been disclosed.

In the long term, HIPAA was supposed to simplify electronic
health records, which would save money. In the short term,
however, it has created inconsistencies from one institution
to another and cost millions for training and paperwork,
lawyers and compliance officers.

Laurinda B. Harman, head of Temple University's department of
health information management, jokes that HIPAA stands for
Huge Increase in Paperwork and Aggravation Act. "Is it hard
to comply?" she asked. "No, but it's one more form."

Richard Campanelli, director of the federal Office of Civil
Rights, which oversees HIPAA, believes the privacy rule has
done exactly what it set out to do: give medical consumers
power over their records. While acknowledging confusion early
on, he said that most patients and providers now understand
the boundaries of the law.

"People are very sensitive to their rights and they know that
they have these rights," he said.

Of the 10,785 HIPAA complaints received by the agency, more
than 60 percent have been resolved without penalties and 38
percent remain under investigation. Critics note only 170
were referred to the U.S. Department of Justice for criminal
investigation - and not a single civil penalty has been
issued.

Kate O'Brien, 24, of Lindenwold, N.J., believes the law has
only complicated matters for consumers. A program specialist
for the Association for Retarded Citizens in Camden, N.J.,
she was told HIPAA would not permit her to get her medical
test result over the phone.

"I had to drive all the way over from Pennsauken to Voorhees
to pick it up," she said. "Was it really necessary?"

The truth is: no. Doctors, with patient approval, can release
information over the phone.

The act also has made it hard for some agencies to help those
in their care.

Joe Young, deputy director of New Jersey Protection and
Advocacy Inc., a medical advocacy group in Trenton, said
that psychiatric hospitals sometimes refuse to contact
family members when his mentally ill clients are in
crisis - and cannot remember their medical history.

"It's wrong to freeze out family members who may be able
to provide assistance," he said.

Still, many doctors acknowledge HIPAA has had some positive
effects.

"It's created a new sort of awareness in the office, even
in the idle chatter between physicians and the nursing
staff," said urologist Al Ruenes of Central Bucks Urology
in Warminster and Doylestown, Pa.

A few years ago, he said, doctors routinely left X-rays
on light boxes, and it was not uncommon for a patient to
overhear staff ask for "Mark Summer's CAT scan" over the
intercom.

Many researchers complain that they can no longer recruit
patients directly from doctors' records. They must rely on
doctors for referrals.

"Most physicians are just too busy to do that," said
Roberta B. Ness, a University of Pittsburgh epidemiologist,
who saw recruits for one study fall by half after HIPAA.

But at the University of Pennsylvania, oncologist Julia
Draznin said, new patients now sign several consents at
once, including one for research. No more time-consuming
searches for study volunteers.

"Things are definitely getting better" with HIPAA, she
said. "Common sense prevails."