As of Monday, a new federal medical-privacy rule gives data-processing companies, insurers, doctors, hospitals, certain researchers, and others legal permission to share citizens' personal health information - including genetic information - without individuals' consent.
Citizens will be notified that their data legally can be exchanged with others. But under the federal rule, they won't be guaranteed the right to stop the flow of data for purposes related to treatment, electronic claims processing, and healthcare operations - this last term being so broad that it includes marketing.
How did this federal rule come about? Who was behind it? What can Americans do to protect their medical privacy?
Until now, medical privacy was primarily regulated by the states. Most states have laws requiring patients' consent before their information is shared with others. However, abiding by many different state privacy laws has proved difficult for the industries that want to create a national health-information system. National leaders of the medical, hospital, health-insurance, and other industries have been working for more than a decade to nationalize standards for sharing patients' health data.
In 1993, President Clinton's Health Security Plan included a provision titled "Administrative Simplification." It called for a national health-information infrastructure and required that unique identifiers be assigned to four groups for processing health claims electronically. These included healthcare providers, health plans, employers, and individuals. The plan also called for creating uniform national codes for medical claims and for establishing federal privacy rules.
Congress and the American people vehemently rejected the Clinton plan to nationalize healthcare. However Administrative Simplification was tucked away in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was signed into law in 1996. Many remember HIPAA as the legislation that was supposed to make health insurance portable and affordable. (It never met those purported goals.) Under HIPAA the same four groups mentioned above would be required to have unique identifiers for processing claims electronically.
Thanks to Rep. Ron Paul (R) of Texas federal funding for a health-identifier system has been put on hold over the past few years. But unless that provision of HIPAA is repealed, all Americans may soon be assigned a number for tracking their personal health information from cradle to grave.
Aware of the American people's concerns with creating and transferring personal health data electronically, Congress included a provision in HIPAA requiring that if a medical-privacy law was not passed by Aug. 21, 1999, the secretary of Health and Human Services (HHS) would have to generate such a rule to cover the new electronic medical-records system.
Congress missed its own deadline and so the authority shifted to the Clinton administration. In November 1999, that administration proposed regulations that would have prohibited doctors, hospitals, and others from obtaining patients' consent before releasing their medical information. The public objected.
A final rule was published in December 2000, just before Mr. Clinton's departure. It did require healthcare providers and organizations to obtain patients' consent before releasing their medical records for treatment, payment, or broadly defined "healthcare operations." However, many others did not need patients' consent before obtaining their records, including law-enforcement officials, certain researchers, and public-health officials, among many others.
The medical and insurance industries strongly opposed the consent provision and lobbied the incoming Bush administration to eliminate it. Not surprisingly, the Bush administration modified the rule so that healthcare insurers, providers, institutions, and others could transfer medical information electronically to pay claims, treat patients, and do other tasks - without patients' consent.
In essence, the federal government is giving the medical industry regulatory authority to decide whether personal health information can be obtained by others without patients' permission. What's more, some powerful industry groups strongly support having the federal rule preempt state medical-privacy laws. Given their lobbying success, it is likely that in the near future these groups will attempt to accomplish this.
That is why citizens and state legislators should make sure that their stronger medical-privacy laws requiring patient consent are protected against preemption by the new federal rule.
• Sue A. Blevins is president of the Institute for Health Freedom.