Privacy consultant Bob Gellman has published an evaluation (pdf) of the privacy subtitle in the newly passed stimulus law, which has many provisions that affect the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Gellman has many years of experience working in the field, especially on medical privacy, and his analysis is should be of interest to those concerned with the privacy of health data.
The commentary is detailed and thoughtful. One example, discussing the information disclosure provision:
This requirement makes mandatory a patient request that a covered entity limit disclosures to a health plan if the patient pays out of pocket in full. For privacy, this is a highly desirable outcome. However, for a health care provider, it will create a requirement that will take some care to implement. Parts of a record that are medically intertwined will have to be segregable when disclose to a health plan.
If health records in an electronic system are shared, a covered entity must be able to segregate specific parts of a record and to keep those parts from being disclosed to health plans as directed by the patient. However, the same records can be shared among various health care providers because the restriction only applies to disclosures to a health plan.
A secondary provider who receives restricted information from a primary provider may also be obliged to honor the patient’s demand not to disclose the information to a health plan. It will have to be determined by the rule whether a patient will have to make an additional request for confidentiality to each provider that obtains the restricted record from the original provider. In cases where a patient has many providers – including some that the patient may not know about in advance (e.g., a specialist consulted by a primary physician) – the burden may be substantial. In an era of [Regional Health Information Organizations (RHIOs)] and [Health Information Exchanges (HIEs)], this may be especially challenging.
No matter what, this provision will be complicated for everyone. It also may provide a model for broader patient control over use and disclosure of the patient’s record for other purposes. It may also provide a model for addressing requirements in other laws (e.g., the alcohol and drug abuse regulations in 42 CFR Part 2) that impose downstream restrictions on categories of health information.
Gellman goes on to give a practical example of how the possible problems would affect an individual:
In a likely scenario, a patient pays for a genetic test out of pocket and requests confidential treatment for the test and the result. The patient, having learned that he is at risk for colon cancer, has a colonoscopy at age 30. The health plan refuses to pay on the ground that colonoscopies are not appropriate for 30 year olds. When a patient undergoes treatment based on information, a test, or a procedure that the patient has hidden from a health plan, the patient is likely to face a difficult dilemma. This may become even more complicated if the genetic test was done on a blood relation and not the patient. The relative may have
placed a limit on disclosure of the information to the health plan, but the information may be freely shared within the family. The patient may be unable to satisfactorily explain an action without revealing the relative’s secret.
Will a health plan be told that parts of a patient’s record have been withheld at the request of the patient? A request for pre-certification or for payment might be flatly denied by a health plan because any information withheld may be relevant to its decision. If plans can pressure individuals by refusing coverage, then the entire provision may be meaningless. Similar issues may arise when medical underwriting occurs.