Medical Privacy Rules Face Bumpy Road

[NEW YORK, NY] - New federal rules establishing the nation's first medical privacy standards set to take effect on Monday are likely to cause confusion in the short run, experts say.

The rules dramatically change the way hospitals, doctors, health plans and pharmacies must handle personal health information. They also impose criminal and civil penalties for breaching patient privacy.

Under the rules, patients will receive notices from their providers describing their new rights. Those rights include the ability to examine their own medical records.

The rules also give consumers limited new powers to prevent sensitive data from slipping into the wrong hands. They forbid healthcare providers from sharing identifiable health information with employers, for instance. And unless a patient has specifically granted his or her consent, providers may not sell lists of patients to companies for marketing purposes.

"But there's still a lot of gray areas here, and a lot of areas that are constantly popping up," cautioned healthcare attorney Robert Falk of Powell, Goldstein, Frazer & Murphy.

He cited a recent incident in which a patient's parole officer sent a release form requesting medical information from the patient's doctor. Because the release form did not meet the new privacy standards, the doctor won't be able to supply the requested information.

"We're going to be dealing with a lot of unintended consequences or transition issues here," Falk warned.

The rules will set in motion a collection of patient privacy standards adopted in the waning days of the Clinton administration as part of a landmark law known as HIPAA, the Health Insurance Portability and Accountability Act of 1996. Bush health officials adopted the rules in April 2001, giving providers a two-year window to develop policies and systems to comply with the new requirements.

While many large hospitals, medical practices, insurers and pharmacy chains are ready for the changes, "a lot of the small providers probably don't know about it at all or are not prepared," Falk said.

Health and Human Services Secretary Tommy Thompson said in a statement released on Friday that the administration has "worked aggressively" over the past two years to give providers the information they need to comply with the rules. But he also conceded that the process remains ongoing.

"We will continue our efforts to encourage covered entities to comply with the regulations' requirements," he said. "After all, this is the best way to ensure that patients get the rights and protections they expect."

The administration has the power to wield stiff civil and criminal penalties to enforce the rules. Violators are subject to fines of $100 "per incident" up to a maximum of $25,000 per year for each breach of a privacy standard. Offenders who knowingly flout the law with malicious intent or for commercial or personal gain could face fines of up to $250,000 and up to 10 years in prison.

Despite the 24-month implementation phase, "misinformation and confusion" abound, say officials at the Health Privacy Project, a nonprofit health privacy information outfit based at Georgetown University.

One myth is that hospitals will be barred from giving out patient information to the public, they said. The truth is hospitals may continue to share information about patients unless a patient specifically asks that the information be kept private.

Project leaders are also troubled by the continued ability of pharmacies to send health-related information about products and services to patients without consumers' knowledge that the information may have been paid for by a drug company.

On Tuesday, project leaders announced the launch of a "privacy complaint monitoring initiative" to keep tabs on HHS' enforcement of the law.

"Given that HIPAA does not give people the right to sue, individuals must rely on the Bush administration to represent their interests," Janlori Goldman, director of the Health Privacy Project, said in a statement. "Our monitoring initiative is intended to ensure that consumers' voices are heard."

While the law does not allow patients to sue for breaches of privacy related to medical data, it does give them the right to file a complaint with HHS' Office for Civil Rights.

Some health and consumer groups still have concerns about the new requirements. On Thursday, a coalition representing mental health organizations and health privacy activists filed suit in U.S. District Court in Philadelphia challenging the HIPAA privacy rules.

The complaint contends that rather than safeguarding patients' private information, HIPAA actually grants "unprecedented, unconstitutional access" to the data without patients' consent.