Privacy and Its Regulation: Too Much Too Soon, or Too Little Too Late

As reported in a recent article entitled, “The Reinvention of Privacy,”¹ a 1999 Wall Street Journal–NBC survey indicated that the American public is “gravely concerned” over issues of privacy. New technologies, particularly the Internet, are perceived by a majority of survey responders as contributing to an escalating loss of privacy. Both state and federal legislators are racing to pass laws that preserve what privacy is left, “after the horse has left the barn.” In this context, the Health Insurance Portability and Accountability Act of 1996, termed HIPAA, focuses on medical privacy. On December 28, 2000, the US Department of Health and Human Services (HHS) issued its Final Regulation, Standards for Privacy of Individually Identifiable Health Information, 65 Federal Register 82462. These regulations were mandated in the HIPAA Act. These regulations detail the guidelines and rules for patient privacy that will go into effect on April 14, 2001, with full compliance by most entities on April 14, 2003.

The fundamental principles on which HIPAA is based represent laudable goals. These 5 principals are:

1. Ensure consumer control over their health information.

2. Establish guidelines for medical record use and release.

3. Ensure the security of personal health information.

4. Set accountability guidelines for medical record use and release.

5. Balance public responsibility with privacy protections.

Over the 5 years since passage of HIPAA, there has been a proposed rule and a final rule. Both rules included information in any format. The proposed rule applied only to information that had ever been transmitted or stored electronically, but the final rule does not differentiate based on method of transmission. The final regulation of December 28, 2000, will thus cover paper, electronic, and oral communications (J. J. Cohen, Association of American Medical Colleges advisory memorandum 01-11, February 2001).^2,,3This set of regulations is frustratingly complex and will require substantial and costly changes in the manner that both clinical care and clinical research are conducted. These rules will also impact education of trainees, health care operating systems, and research. Before reviewing selected components of the Final Regulation, it is relevant that the full impact of these regulations will require extensive HHS interpretation and court challenges.

Students of privacy point out that this concept is a recent one. The book Ben Franklin's Web Site: Privacy and Curiosity from Plymouth Rock to the Internet,¹ by Robert E. Smith, points out that until well into the 20th century, privacy concerns dealt mainly with a physical concept involving space. With the advances in communication technologies since 1870—the telephone, camera, moving pictures, television, computers, personal computers, and the Internet—the capacity to invade all forms of electronic communication and obviate privacy safeguards has proliferated. The capacity of “hackers” to break into sensitive and reputedly secure files frequently is reported in the news. A majority of Americans find this problematic. Surprisingly, the right to privacy is not guaranteed by the Constitution. Our national concern about privacy arises can be traced to the 1890's. Landmark Supreme Court cases, such as Griswold v Connecticut, date to the 1960s. In overthrowing state laws that blocked the use of contraceptives, even between married couples, Justice William O. Douglas stated for the majority that “specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance… Various guarantees create zones of privacy.”¹ The entire history of the epidemiology of human immunodeficiency virus infection and acquired immune deficiency syndrome has resonated around privacy issues. These concerns have led Americans to fear a loss of privacy in their interactions with government, big business, insurance companies, the judicial system, and in terms of their right to avoid discovery over private health issues. What is also true as well is that the public wants progress in medical research to continue because of its perceived benefit.

HIPAA is a statute that directs HHS to issue regulations on privacy that impact an extensive array of components of the health care system. Opinion by spokepersons in medical schools, hospitals, insurance companies, medical organizations, and accountants either applaud or shudder at these rules (J. J. Cohen, Association of American Medical Colleges advisory memorandum 01-11, February 2001).^2–5 Some believe the rules come too little too late, and others believe they are too much too soon. With regard to education, the Final Regulation would require that a limited amount of patient information can be disclosed to medical, nursing, and students of other health professions (J. J. Cohen, Association of American Medical Colleges advisory memorandum 01-11, February 2001). In essence, that which can be disclosed is the “minimum required to accomplish teaching.” This standard is intended for “written, electronic, and oral communication.” Although provider-to-provider (doctor-to-doctor, doctor-to-nurse, etc) disclosure for treatment is permitted, this disclosure does not extend to students. This means that whenever teaching is involved, a patient signs a one-time consent for use of his/her information for health care operations (including teaching), and providers may condition treatment on consent. However, if the patient (or parent) refuses, his/her wish is honored.

In the research arena several aspects are troublesome.²First, there must be de-identification of “protected health information” in archival medical records. This de-identification is only required to allow the information to be used or disclosed freely; a covered entity can use identifiable archival records if the privacy rule's requirements are met. A total of 18 elements in the medical record require removal to have protected health information. A covered entity can also de-identify data using another method if it has enough expertise to do so, or it can hire a business associate to de-identify data. If this de-identification is not performed it is necessary to obtain either approval from patients for the use of this archival material or a waiver of authorization from the institutional review board (IRB). Second, the regulations require that 8 new criteria must be met so that an IRB waiver may be obtained. Several of these eight criteria are difficult to interpret: 1) that the waiver will not adversely affect the privacy rights and the welfare of individuals; 2) that the use or disclosure of the information involves no more than minimal risk to the individual; and 3) that privacy risks are reasonable in relation to anticipated benefits. In essence, the Association of American Medical Colleges finds that requirements 1 and 2 are contradictory and that requirement 3 really depends on the personal beliefs or ideologies of individual IRB members. Third, the Final Regulation allows a patient the right to inspect, copy, and amend medical records and to obtain a detailed record of each use of disclosure of protected health information over the past 6 years. These patient rights apply to information in a “designated record set,” which includes treatment and payment information used to make decisions about the individual, not necessarily research records. These rules extend to research that includes treatment except during the active conduct of the trial. This rule may be onerous on the conduct of epidemiologic and health services research, expensive in terms of record-keeping, and could have a chilling effect on health services research. Fourth, there is a requirement for a “minimum necessary” standard to the disclosure of all protected health information for research performed under a waiver obtained from an IRB.

Other components of the Final Regulation enhance patient rights that control how their health information can be used. Providers and health plans are obligated to give patients “a clear written explanation of how a patient's health information can be used, kept, and disclosed.”² Patients also have a right to refuse permission to release health information for reasons of payment, treatment, and health care operations. Providers must also obtain consent to release health information for nonhealth care purposes; for example, to financial institutions such as mortgage holders or the selling of mailing lists to life insurers. Coercion of patients to sign forms for nonroutine uses by declining therapy is forbidden.

Health organizations will need to have written privacy procedures that clearly set forth who has access to protected information and when such information will be disclosed. Covered entities must enter contracts with their business associates that describe how the business associated may use or disclose protected health information.

The penalties of this law are $100 per incident up to $25 000 per person, per incident, per year and up to 1 year in prison for obtaining or disclosing health information. If health information is obtained with intent to sell, transfer or use for commercial advantage, personal gain or malicious intent, the penalty is up to $250 000 and up to 10 years in prison.²

Several authorities have pointed out that the provisions in the Final Regulation are “either completely new or dramatically different” from an earlier proposed set of rules and the intent of HIPAA.³ The American Hospital Association has stressed the costly changes to the hospitals information systems that will be required.³ The initial rules had a public comment period from November 1999 to February 2000, in which 52 000 comments were received by the HHS.

It is also appropriate to be concerned about the well-known “law of unintended results.” The HHS Final Regulation was issued on December 28, 2000, as the presidency of William J. Clinton was coming to a close. There are confusing, contradictory, and even unenforceable aspects of the Final Regulation. It seems patently absurd that oral communication of patient communication can be policed, especially in a teaching situation.⁵ Whether each large health entity requires a “privacy officer” is also not clear. However, perhaps the most concerning feature of the Final Regulation is that it could eliminate health services and epidemiologic research in some academic entities who do not wish to bear the expenses of potential civil liabilities. Although this position suggests the worst case scenario, the public may not want to stifle this research. Hence, “the law of unintended consequences” may hold.

With the new administration in Washington, a second period of public comment was ordered by HHS Secretary Tommy Thompson during which there will be additional input. This comment focused largely around clarification of confusing issues, and the concern that the Final Regulation had expanded beyond the intent and scope of the HIPAA legislation. Most pediatric academic societies and the American Academy of Pediatrics (AAP) have sent communications during this period. The AAP has not yet submitted comments on this rule.

Pediatric concerns are somewhat different and are not considered in most accounts of HIPAA and the Final Regulation. The final rule was actually responsive to the Academy's concerns, particularly those related to adolescent confidentiality and business associates. Among those concerns are the entire issue of adolescent confidentiality, the expanded provisions regarding business associates. The business associate provisions are weaker than those in the proposed rule. The allowance of covered entities to use protected health information for marketing purposes without patient authorization, if certain requirements are met, and the failure to exclude registries established by nonprofit groups or other nongovernmental entities for public health activities. The use of the Final Regulation in terms of adolescent health issues and of patient registries of rare complex diseases are particularly germane. The questions for adolescent health resides with how can we protect the confidentiality issues of adolescents, and how will covered entities separate protected health information for which the minor retains privacy rights, from information for which the parent has privacy rights? How will the Final Regulation interact with the complex web of state statutes and case law regarding confidential health care for adolescents? Some individuals feel that these questions have been raised during the process of drafting the AAP comments on the final privacy rule, but the rule is overwhelmingly protective of adolescents' privacy rights. Guidelines about individuals who are older than 18 years, but university students are also uncertain, particularly with regard to institutional (university) privacy rights for records maintained by federally funded educational agencies. For example, who would hold the privacy rights to a student health form or to access to these records?

Rare disease registries in which many demographic details can be derived are also not exempt. What would be the obligations of investigators, who have foundation or not-for-profit organization support for these registries, in terms of gaining permission for use with every study proposed? As an adolescent goes beyond his/her 18th birthday, from whom is permission sought, the parent or the child, now an adult? As new therapies become available, can these patients be contacted? Does the public wish to shut down these registries? Authorization is needed to release information to nongovernmental registries. However, once the registry has the information, it can be used in any way the registry wishes because these registries are not covered entities. These are examples of real issues that will have an unknown impact on population research.

Other issues are also unclear, such as to whether organ/tissue donation should be excluded. However some commentators feel that this provision of the rule is very straightforward. How much will this program cost and how will cost be borne? Should compliance with all HIPAA rules be required at one time?

• Copyright © 2001 American Academy of Pediatrics