Patients have long been concerned about the privacy of their health care information. "How private is private'?" is a question that echoes through the minds of patients every time they receive a stigmatizing diagnosis such as cancer, a sexually transmitted disease (STD), alcohol or drug dependency, a mental or emotional health problem, or trauma symptoms related to a personal and private experience. Federal regulations for health care providers that went into effect in April 2003 are touted as improving or ensuring the privacy of an individual's personal health information, but do they? We think not.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (PL. 104-191) is a multitiered, comprehensive, convoluted, and controversial federal law for sweeping health care reform. Although HIPAA is dramatically broader in scope than privacy protections for health care information, a provision for privacy in the form of a Privacy Rule is included in Title II of HIPAA under the Administrative Simplification regulations; this regulation has created widespread controversy, as well it should, juxtaposed with both civil liberties and the tenets of our profession's ethical code.
In preparation for the Privacy Rule compliance date in April 2003, executives of covered entities (CEs), which include health plans, health care clearinghouses, and health care providers, were involuntarily plunged into a mire of federal definitions, acronyms, regulations, and procedures that spiked the jargon meter. A veritable compliance melee erupted as a result of struggles to comply with the letter of the law in the face of inability to decipher what the letter of the law was. A health care network-wide plethora of brochures, forms, and flyers, ostensibly aimed at protecting patient privacy better than ever before, spilled from the many months of compliance preparations by each CE. But contrary to the HIPAA hype about patient protection, and despite the glacier of paperwork for protecting privacy that was spawned by the Privacy Rule, critics of HIPAA claim that this federal law erodes patients' right to privacy. Citizens for Health filed papers in the U.S. district court in Philadelphia alleging that HIPAA regulations threaten "essential liberties [privacy] guaranteed by the Constitution" (Dougherty, 2003).
Privacy and confidentiality are in greater jeopardy than ever because of two security issues inherent in compliance with HIPAA regulations. The first security issue stems from the fact that health care providers are forced to use the Internet for sharing information and for billing purposes. Second, and counter to HIPAA's alleged intent, is the issue of access to private health information. According to a statement issued by Citizens for Health, "virtually all personal health information about every aspect of an individual's life can be used and disclosed routinely without notice, without the individual's consent and against his or her will" (Dougherty, 2003).
In the first instance, patient confidentiality is compromised by the federal government, health care workers, hackers, and the legal system. The federal government realizes a savings of billions of tax dollars by computerizing Medicare and Medicaid programs and HIPAA, and, except in very small practices, makes electronic billing mandatory. Also, to facilitate quick information exchange in medical emergencies, there is a push for universal patient identifiers, which relates to the second security issue. A nationwide linking of all medical records is possible with such identifiers (Gelman, Pollack, & Weiner, 1999). "A national health ID so presages a national health database that Congress has consistently refused to fund the program" (Privacilla.org, 2003, p.11). Even so, increasing amounts of new private health information will be traveling the electronic highways, in addition to what is already stored in computers by managed care companies, as the private insurance companies follow the government's lead. …