A Tripartite Threat to Medical Records Privacy: Technology, HIPAA'S Privacy Rule and the USA Patriot Act
Wills, Nathan J., Journal of Law and Health
I. INTRODUCTION II. PRIVACY IS A FUNDAMENTAL RIGHT III. MEDICAL RECORDS PRIVACY IS OF THE UTMOST IMPORTANCE IV. HIPAA: THE GOVERNMENT'S RESPONSE TO THREATENED MEDICAL RECORDS PRIVACY V. PRIVACY RIGHTS ARE CIRCUMSCRIBED IN THE POST-9/11 WORLD VI. THE THREAT TO MEDICAL RECORDS PRIVACY VII. CRITICISM OF THE PRIVACY RULE A. Is the Privacy Rule Unconstitutional? 1. Fourth Amendment Claims 2. First Amendment Claims B. If not Unconstitutional, the Privacy Rule is Ineffective 1. The Privacy Rule is Behind the Times 2. Exceptions Swallow Additional Privacy Protections Protections 3. The Nebulous Nature of a "Covered Entity". 4. Federalism Concerns 5. Congress was Catering to Corporate Interests VII. ALL IS NOT LOST VIII. CONCLUSION
"Privacy is not something that I'm merely entitled to, it's an absolute prerequisite." (1)--Marion Brando
Virtually every member of American society has seen a physician and therefore has some type of medical history. A medical history contains some of the most intimate details of a person's life. (2) This information might not even be shared with intimate partners, family or friends, (3) perhaps because an individual is usually private, in denial of an illness, or wishes to guard loved ones from painful information. Whatever the reason, it is reasonable to conclude that most individuals wish to keep health information personal and private.
The desire to keep medical information private has been recognized for centuries, as evidenced by the Hippocratic Oath (4) and the common law physician-patient privilege. (5) As healthcare changes, so too must societal conceptions of medical privacy. Today, medical privacy encompasses not only privileged communications, but also the power to control medical records and who may access them. Preserving this power can appropriately be termed protecting medical records privacy.
Unfortunately, three issues threaten the long-recognized right to medical privacy. First, while the increased use of technology to store and transmit medical records makes accessing private health information easier for authorized medical personnel, it also increases the likelihood that the information may be seen and used by those with ill intentions. Second, the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") (6) actually sanctions the non-consensual disclosure of personal health information. (7) Third, privacy rights are eroding as a result of measures taken to increase national security in the wake of the September 11, 2001 terrorist attacks. The erosion of privacy rights is illustrated by the hastily passed USA PATRIOT Act, (8) which alters the interpretation of many privacy oriented statutes and effectively contracts individual privacy rights. (9) These three factors have converged to threaten an individual's right to medical records privacy.
Proceeding from the proposition that privacy is a fundamental right, this essay notes the importance of maintaining medical records privacy in light of the increased use of technology. It describes the Privacy Rule promulgated under HIPAA, which was intended to strengthen medical records privacy, but notes the restriction of privacy rights following September 11, 2001 ("9/11"). In light of circumscribed privacy rights, the Privacy Rule becomes much more important in protecting medical records privacy. Unfortunately, the Rule falls short of this goal by potentially running afoul of the First and Fourth Amendments. It also fails to provide adequate medical records protection because it: (1) relies on an out of date technology model; (2) provides too many exceptions to its own consensual disclosure provisions; (3) lacks specificity in defining the entities it covers; (4) fails to resolve important federalism issues; and (5) caters to corporate interests. …