In late 2000, HHS issued an initial HIPAA privacy rule that required covered organizations to obtain consent "prior to using or disclosing protected health information to carry out treatment, payment or healthcare operations." In 2002, HHS amended that rule, replacing the consent requirement with a new provision "that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment and healthcare operations." Covered organizations could obtain patient consent, the HIPAA rule said, but only if they wanted to do so.
James Pyles, a lawyer with the Washington firm Powers Pyles Sutter & Verville, sued HHS on behalf of a coalition of providers and privacy advocates that included the American Association of Practicing Psychiatrists, American Mental Health Alliance, American Psychoanalytic Association and National Coalition of Mental Health Professionals and Consumers. The lawsuit was filed in April 2003 just before the revised HIPAA privacy rule went into effect. It alleged the HHS revisions would violate patients' constitutional rights to privacy. The lawsuit failed at the trial and appellate court levels and was denied a hearing by the U.S. Supreme Court on appeal.
"The GAO report again identifies the well-documented lack of commitment by HHS to identify key privacy protections for a nationwide health IT system," Pyles said in an e-mail comment on the GAO testimony. "The problem is actually much worse than described by GAO because the report fails to acknowledge that there is wide consensus about necessary health information privacy protections in constitutional common law, the statutory and common law pertaining to the physician-patient and psychotherapist-patient privilege, and state privacy laws for mental health, HIV/AIDS, genetic and cancer information. GAO also refers to the 'key privacy principles' in HIPAA's privacy rule; however, GAO does not seem to understand that the right to health information privacy is not one of the rights enumerated by the rule and, in fact, the privacy rule does not even contain a definition of health privacy."
Pyles said that the GAO "does not seem to be aware that a court of appeals found in 2005 that covered entities are using the HIPAA privacy rule as a federal stamp of approval for the violation of individuals' health privacy over their objections." While the GAO testimony "mentioned" the National Committee on Vital and Health Statistics recommendations, he said, it "fails to mention that one of the key recommendations was that the terms privacy, confidentiality and security be defined. Interestingly, the AHIC confidentiality, privacy and security work group has refused to define the terms that constitute its name. I made that suggestion at its first meeting months ago."
"GAO also missed the fact that the NCVHS report also acknowledged that the right to health information privacy is a key concept in standards for the ethical practice of medicine," Pyles said. "The GAO report tacitly recognizes, however, that with the exception of the NCVHS, the other groups directed by the secretary to research the health information privacy issue seem to be dedicated to researching ways to avoid or eliminate that well-established right."
Pam Dixon, executive director the World Privacy Forum, said that the GAO submitted "a pretty tough report. It took a hard line and it doesn't take a hard line all that often. For them to say that HHS rejected their recommendations is a big deal. It says there is a big, big problem at HHS. I don't think that (Robert) Kolodner will be able to ignore the GAO." Kolodner heads the Office of the National Coordinator for Health Information Technology at HHS.
At the same time, Dixon said she was shocked to hear that ONCHIT staffers did not make use of the work of the NCVHS. "I can't think of a single reason why you would not include a thoughtful group like that. It is beyond the scope of imagination. Mark Rothstein (the head of the NCVHS privacy subcommittee) is about the best guy on medical privacy out there. To deliberately exclude them is extraordinary."
Privacy advocate Deborah Peel, an Austin, Texas-based psychiatrist and founder of the Patient Privacy Rights Foundation, in an e-mail response to the latest GAO testimony, was caustic in her assessments—of both HHS and the GAO. After the January 2007 GAO report, Peel said she wrote its two authors, Koontz and David Powner, director of information technology management issues, giving them "an extensive critique of their report." Peel said she "never received a response."
"Basically, I pointed out that their entire report was fatally flawed because the authors did not appear to understand that the 2002 amendments to HIPAA gutted the privacy rights in the original privacy rule," she said. "So the question becomes, what is wrong with the GAO and these authors? Before I sent them the single sentence in the amended rule that eliminates the right of consent, they could at least claim that they missed the change. Now, I have no idea what the reason could be for not understanding what the privacy rule actually says. Denial of reality?
"Even the GAO's conclusions show that the delusion that HIPAA protects privacy is maintained," Peel said, pointing out that its second recommendation calls for HHS to "ensure that key privacy principles in HIPAA are fully addressed."
"Neither the GAO nor HHS can face the obvious fact that since HHS gutted the HIPAA privacy rule, relying on it as the federal standard for privacy cannot possibly ensure privacy," Peel said. "This really is an emperor-has-no-clothes situation—the GAO and HHS expect Congress and the nation to go along with the pretense that HHS and HIPAA are protecting our privacy when our records are naked for covered entities to see, use and disclose for virtually any reason. It is almost impossible to conceive of a use of PHI (protected health information) that would not fall under one of the three categories of treatment, payment or healthcare operations—covered entities are free to data-mine and sell Americans' health records."
As for HHS specifically, Peel asked, "How can we expect the very agency that gutted privacy to turn around and suddenly start protecting privacy? The main impediment to privacy in electronic health systems is HHS itself, which has been acting at the behest of the data-mining, insurance, pharmaceutical, and hospital industries. Government's job is to protect the rights, liberties and freedoms of its citizens, not promote the best interests of corporations and industries," Peel said.
Contacted for comment about the criticisms, Linda Koontz, GAO co-author and director of information management for the congressional watchdog agency, was unruffled, adding that she accepted some of her critics' points.
"You might be surprised that people oftentimes disagree with us," Koontz said. "It is not an unprecedented sort of thing. When we testified yesterday, we were reporting on what we'd done and reported on in January 2007. We did very little updating."
Koontz said the GAO was asked to assess the activities of HHS, not the efficacy of HIPAA, and so the agency was working under a fairly narrow directive.
"We were not asked to critique the coverage of HIPAA," Koontz said. "We think that should be part of the HHS effort as they move forward. We also thought the NCVHS efforts should be part of the recommendations as well."
"I think there is probably less disagreement here than either of these authors (Pyles and Peel) might think," Koontz said. "I think they raise some legitimate issues about the scope of consent under HIPAA. The GAO definitely supports looking at privacy broadly as HHS moves forward."
The GAO authors were not the only ones to appear before the subcommittee, headed by Rep. William Clay (D-Mo.) Mary Grealy is president of the Healthcare Leadership Council, whose Web site lists among its 34 members about a dozen provider organizations including the Mayo and Cleveland clinics and Tenet Healthcare, and a greater number of pharmaceutical manufacturers and resellers such as Cardinal Health Corp., CVS Caremark Corp., Eli Lilly & Co., Pfizer and McKesson Corp. Grealy testified in defense of the current amended version of the HIPAA privacy rule, which, she said, her organization helped shape.
Grealy said the group opposed restoring the patient consent provisions in the original HIPAA privacy rule, as called for by privacy advocates.
"We are concerned that the transition to more widespread use of electronic medical records will prompt a reactive advocacy in some quarters for additional, burdensome privacy regulations," Grealy said. "It's important to note that the HIPAA privacy rule, which is already quite restrictive, was spurred by the growth in electronic transactions and contains ample provisions governing the confidentiality of information, electronic or otherwise.
"It's even more important to recognize that more restrictive rules, such as requiring providers and payers to obtain prior consent to treatment, payment and healthcare operations would have a counterproductive and harmful impact on patient care," Grealy said. "While HIPAA establishes a federal privacy standard, it permits state variations that are found in thousands of statutes, regulations, common law principles and advisories. This patchwork quilt creates confusion among those who hold identifiable health information and those who seek to establish data exchanges. We believe strongly in a national standard that provides strong privacy protections for every American and that facilitates nation- and system-wide electronic data exchange for the betterment of patient care."
She also stumped for federal pre-emption of state privacy laws. Under HIPAA, states were given leave to retain their own healthcare privacy laws, provided they were more stringent than the baseline set by the HIPAA rule.
Grealy lauded Clay, whose IT bill, H.R. 4832, "laid out a process to help achieve that national standard that we hope will be part of any" health IT legislation. It includes language authorizing either Congress or the HHS Secretary to pre-empt state privacy laws, language that is almost identical to that in last year's ill-fated H.R. 4157 throughout most of its legislative life. The bill was sponsored by former Rep. Nancy Johnson, R-Conn., and it carried state pre-emption language until that provision was stripped from the bill by a Republican-controlled committee at the eleventh hour just before the remainder of the legislation passed a floor vote in the House. The bill died in conference committee.
Lawrence Hughes, regulatory counsel for the American Hospital Association, seconded Grealy's positions on federal pre-emption of state privacy laws and supporting the status quo with HIPAA in which patient consent is not required for the use and exchange of their healthcare information.
"AHA has always been in favor of a national standard on privacy," Hughes said. "We think that the privacy rule really achieves the right balance between protecting patient's privacy and treatment. If you returned the privacy rule to its original version. ... I think there would be significant obstacles to providing good quality care to patients, so we were supportive of the change just as HLC was."
"That criticism has been around for some time," Hughes said. "Achieving the national goal of (attaining) an e-health record within the time frame established by the government seems to be a very complex and complicated process. We have been participating in the process and it seems to be moving along and working fairly well. I don't have any major criticisms of the process itself."
Peter Swire disagreed with Grealy's call for federal pre-emption of state privacy laws, but he did say Congress should act to toughen HIPAA's enforcement provisions. Swire is a law professor at the Moritz College of Law at Ohio State University and a senior fellow at the Center for American Progress. He served as the point man for the Clinton White House at the time the original HIPAA privacy rule was drafted.
"I'm stressing that if we pre-empt and simply have the HIPAA standard, then that would repeal many existing privacy protections," Swire said in a telephone interview. Swire also criticized the government for what he called its "no enforcement policy" of existing HIPAA penalty provisions. The Office of Civil Rights at HHS has received more than 27,000 complaints of possible HIPAA privacy violations between its effective date in April 2003 and the end of April this year, Swire said. The agency has yet to issue a single fine for a HIPAA violation, he said.
"HHS should change its one-free-violation policy under which they will always work with the covered entity in the first violation no matter how egregious the behavior," he said. Swire said that "maybe it made some sense in the first year," but to keep the same policy four years after the rule went into effect only encourages violations.
Meanwhile, the Civil Rights Office has referred 393 of the most serious cases to the Justice Department for possible criminal enforcement, but dropped all attempts to seek civil penalties against those suspected violators. Swire said the Civil Rights Office should continue to prosecute civil penalty violation charges against those potential criminal defendants.
"It makes sense for Congress to make these targeted fixes," Swire said. "Without it, enforcement efforts are likely to fail."
What do you think? Write us with your comments at firstname.lastname@example.org. Please include your name, title and hometown.