Whatever, in connection with my professional practice, or not in connection with it, I may see or hear in the lives of men which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.
Oath of Hippocrates
From the very beginning, when the privacy rule of the Health Insurance Portability and Accountability Act was released by HHS in the waning days of the Clinton administration in late 2000, the Hippocratic oath has taken a back seat to national security, many observers contend.
HIPAA was passed in 1996 with some privacy penalty provisions in place, but Congress gave itself a three-year grace period to come back and flesh out the law with specific privacy legislation. That never happened. Instead, legislative foot-dragging triggered a HIPAA provision that said if Congress failed to act on privacy within three years of passage, HHS was given the authority to write the privacy rule itself. Even that first issue of an HHS-written HIPAA privacy rule allowed disclosures of medical records for national security requests, but since then, the Justice Department and HHS, the key federal agency pushing healthcare information technology, have teamed up to seriously weaken the HIPAA privacy rule while Congress and the Bush administration have sought to expand government access to health records for national security reasons, according to lawyers and privacy advocates.
To view Joseph Conn's entire package on terrorist surveillance and electronic medical records, read "
EMRs could be fair game in war on terror," "A controversial lawyer, HIPAA and the privacy debate," "The tortuous path of the HIPAA privacy provision," "Potential exists for snooping in EHRs, experts say," "Government sets sights on health IT for surveillance," and listen to a podcast interview with Twila Brase, Possible EMR, national security interest links."
That doesnt mean the Justice Department or HHS are implicated in illegally exposing medical records to surveillance, but it does mean the relaxation of the rule could make it easier for government surveillance agencies to obtain healthcare data from commercial sources, those sources say.
For example, the original version of the privacy rule written by HHS staffers required patient consent before so-called covered entitiesdefined by HIPAA as healthcare providers, payers and claims clearinghousescould share patient-identifiable medical records for treatment, payment or other healthcare operations. HIPAA defines healthcare operations so broadly that unless a disclosure was specifically exemptedand there are a number of exemptions, such as, for national security or protecting the president from threats on his lifealmost every conceivable release of medical information required patient consent.
After initially accepting the original version of the privacy rule, the Bush administration under then-HHS Secretary Tommy Thompson announced in March 2002 that it wanted to make revisions. By August of that year, HHS had relaxed the privacy rule. The new rule gave regulatory permission to covered entities for the use and disclosure of patients records without patient consent for treatment, payment and other healthcare operations, with that final phrase, again, playing a key role. Stripping away the consent requirement turned the law on its head, according to privacy advocates. Other healthcare operations is so broadly defined under the rule that it converts a broad protection rule into a permissive rule for disclosure, the advocates say.
They assure me they are very much working on it and hope to have it out soon, McGraw said. I dont think this is their way of putting me off and hiding the fact that theyre never going to do it, but I dont know if well ever see it or not. I hope we do.
In June 2007, the consulting firm RTI International released an oddly titled report, Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems, funded by a $487,000 contract from ONCHIT; the 115-page report deals mostly with healthcare fraud, not quality. It includes a controversial recommendation that developers of computer-based, electronic health-record systems used by office-based physicians be required to engineer back doors for remote monitoring into their software packages, ostensibly for insurance companies as well as Medicare and Medicaid administrators to detect fraud and gain legal evidence to prosecute perpetrators. Privacy advocates howled.