Issue Brief

July 2000

Medical Privacy Legislation   

Fifty years ago when you went to the doctor, only your doctor and staff saw the information you provided. If you had x-rays, they were usually developed and read in your doctor’s office. Most laboratory work was done in your doctor’s office. And, you paid your own bill. As long as you had confidence in your doctor’s discretion and that of his or her staff, you didn’t worry about the confidentiality of your medical records.

Yet even in those simpler times, there was tension. On the one hand, patients’ health information needed to be shared for purposes of protecting public health and advancing medical research. On the other hand, doctors needed to protect patient privacy to ensure trust in the doctor-patient relationship. This tension has escalated as the health care system has grown in complexity over the last 50 years.

Today, not only are doctors, nurses, hospital personnel, researchers, and other health care professionals involved with an individual’s records, but insurers, auditors, and often even the government receives information about individual patient records.  Expansions in medical technology, information technology and managed care have contributed to greater numbers having access to an individual’s medical records.  And that fact has not been lost on the public.

There is a deep well of concern among the public about the potential misuse of their private health data. In fact, a 1999 study done by the California Health Care Foundation found that one out of every six people engages in some form of privacy-protective behavior. These behaviors include lying to their doctors, doctor-hopping to avoid a consolidated medical record, paying out of pocket for care that is covered by insurance, and—in the worst cases—avoiding care altogether. If these results are correct, they pose serious problems for our entire health care system. Not only can this behavior jeopardize the health of the individuals involved, it also can undermine public health and the quality of medical research.

Because of its concern about the threats to medical confidentiality posed by this complex structure, Congress included a section in the 1997 Health Insurance Portability and Accountability Act (HIPAA) requiring the Department of Health and Human Services (HHS) to propose regulations ensuring comprehensive privacy safeguards for health information if Congress did not act on the matter by August of 1999.

Privacy fears are exacerbated by abuses many have experienced in the financial and direct marketing sectors—the phone call during dinner or the targeted piece of mail makes us suspicious about the kind of information “someone” knows about us.  These fears manifest in health privacy concerns, including that one’s employment might be jeopardized if sensitive records were easily accessed.

Even though more than a dozen proposals were introduced, Congress did not act by the required deadline and HHS proposed a new rule last November. In his State of the Union Address on January 27, 2000, President Clinton discussed the need for health privacy and noted, “Last year, we proposed to protect every citizen’s medical record. This year, we will finalize those rules.”  

Proposed Regulations  
Due to great public interest in the proposal, the Administration extended the comment period on the proposed regulation to late February. The Administration is still reviewing more than 40,000 comments have been received on the proposal.  While most people agree on the value of privacy safeguards, there is disagreement on how to achieve that value.  Some of the controversial features of the proposed regulation are:

1.  It proposes overriding state privacy laws except where those laws are more restrictive than the federal regulation. This concerns many in the provider community who would like to have only one set of standards.

2.  It is limited by the authority granted in HIPAA and applies only to health care providers, health plans, and clearinghouses. This leaves out many entities that receive health information.

3.  In an attempt to deal with its limitations in authority, the rule tries to require covered entities to extend their privacy requirements to the systems they share information with, causing a great deal of concern among some providers and insurers.

4.  Any provider that maintains a paper information system only, cannot be covered by the standards.

5.  There is no statutory authority for a private right of action for individuals to enforce their privacy rights.

These are only some of the areas of concern that have been expressed by privacy advocates, health care professionals, insurers, and others. Most people involved in this debate believe Congress should enact a comprehensive health privacy law applicable to all who generate, maintain, and/or receive protected health information. However, that is unlikely to happen this year so it behooves all who are concerned about this issue to work with the HHS to ensure that any rule it promulgates works successfully as is possible within the limits of its authority.

For exact language of this regulation or additional information, please go to

http://aspe.hhs.gov/admnsimp/index.htm