Recent media coverage has raised awareness of a variety of our healthcare system’s problems and shortcomings. Increased exposure is often the first step in finding solutions. However, the most destructive force in our health system hasn’t yet made it to the front page. By stripping Americans of the right to control access to their electronic medical records, HIPAA is destroying our children’s and grandchildren’s futures. You may think that the HIPAA Privacy Rule actually protects privacy, but the truth is sobering. One single sentence in the 2002 Amended HIPAA Privacy Rule effectively eliminated privacy by “replacing” a patient’s right of consent. The Final Modifications to the Privacy Rule document in the Federal Register
states “The consent provisions [in the previous version of HIPAA]… are replaced with a new provision… that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, healthcare operations.”
We should call the HIPAA Privacy Rule what it really is: the “Exposure Rule.” The changes to HIPAA opened up the nation’s electronic health records to surveillance, snooping, unwanted uses, and disclosure by more than four million “covered entities,” including employers, financial institutions, insurers, schools, government agencies, and all of their business associates. Most of the public and the media aren’t even aware of this, and don’t realize the impact of the sentence that wiped out 2,400 years of medical ethics embodied in the Hippocratic Oath, and more than 200 years of strong privacy-protective American laws.
According to HIPAA, stronger privacy-protective state laws, common law, Constitutional law, the physician– patient privilege, and medical ethics are supposed to prevail over HIPAA. But our health data is so unbelievably valuable, most existing technology was designed as if we have no privacy rights. Today, doctors won’t treat patients unless they sign Privacy Notices that violate medical ethics and expose their records to the world. Worse, the current administration and some members of Congress are pretending that HIPAA is still an adequate privacy standard for the nation, even though it was gutted in 2002.
The problem is that covered entities and all of their business associates can use the data in health records to discriminate against everyone who gets sick. Data mining generates untold billions in revenues, but not one dime goes to help a single sick person. For the first time in our nation’s history, our health records may be regularly accessed and disseminated without our consent for all “routine” uses under HIPAA (defined as treatment, payment, and healthcare operations). This may sound reasonable until you realize that entities holding our sensitive personal health information can unilaterally decide to use it, and we cannot object or refuse access.
Any covered entity holding our health records has the right to determine— without consent and without reporting to anyone—the uses of our data that constitute “healthcare operations.” Even worse, there is no way for us to even find out what they are doing, because audit trails are not required for “routine” uses of personal health Data Mining and Personal Health Information IMS Health
and Verispan LLC
sell the nation’s most current prescription records daily to insurers and the pharmaceutical industry. IMS Health reported revenues of $1.75 billion dollars in 2005. Verispan LLC is privately owned, so its revenues are unknown. Blue Cross Blue Shield set up the Blue Health Initiative
last year to sell the medical and claims data on all 79 million Blue Cross enrollees to large employers to help them reduce their costs. Thomson Medstat
also sells the data of millions of patients, including Medicare and Medicaid data, to large employers and drug companies.