US Approves New Guidelines For Medical Privacy

iElucidate writes: "Mindwire.org is reporting on the adoption by the US Department of Health and Human Services of guidelines for privacy of personal medical records. In 1996 Congress mandated the creation of medical privacy standards by the end of 1999. Since Congress did not act, responsibility went to the Department of Health, which drafted a standard, gave a year for public comment, and finally approved it for use. The new standard requires that hospitals and HMOs keep information secure, and requires stiff penalties for the release of unauthorized information. Finally, no more employers snooping on employees psych. records. About bloody time!" The Department of Health and Human Services issued a fact sheet summarizing the new regulations.

What about law enforcement and legal cases?

[andyo]

The earlier HIPAA regulations (some 150 pages worth) contained complicated, waffling rules about when the police could get access to health-related information and when it could be released to a court in a legal case. I would like to see what the new regulations say in these areas.

I have worked in the health field for many years..

[buckrogers]

These regulations really do nothing to protect your privacy.

Most of the time your medical information is sent unencrypted across computer networks using well known protocols such as HL7.

Nearly anyone with a packet sniffer at a major university with a medical center can watch patient data flow past.

These regs are just feel good things and do not change anything.

Re:Conditional privacy

[GungaDan]

Sweet Jeebus, are you trying to install the 4th Reich? Such scaremongering and irrational fear of people with medical conditions belongs at Liberty University, not on /.

Personally, I think we ought to force social conservatives to wear ID tags so that they might be spat upon at will by HIV-infected junkies with paranoid psychoses.

Re:Big hole that needs to be fixed

[medscaper]

The "big hole" is simply those companies and medical care providers that do NOT participate in HIPAA guidelines. It's not a requirement (yet) that all providers use HIPAA security guidelines.

Maybe you should all restrict your care to organizations that cliam HIPAA compliance?

Re:Excellent

[Planesdragon]

...I move to a new apartment. I set up my new phone service. By default, my name, address, and phone number are pimped out to whoever has the money to buy them, aka the phone book...

You just highlighted the biggest reason that "privacy" is an over-rated fanaticism on the internet. Of course your location should be public knowledge--anyone who cares to should be able to track you down, unless you take cares to hide yourself. For a moment, take "privacy" to the physical world--you meet someone, but refuse to let them see your face because it violates your "privacy."

Of course, you should definitly have the option of being prviate--you can hide your face, or close the blinds on your house.

Getting back on topic, this (medical privacy) is a Very Good Thing. When you go to a doctor you're not in public, you're expecting privacy--just like in your marriage bed, or when you go to talk to an attourney about that odd smell in your basement and those weird, violent nightmares...

This is a major law, and no one's really ready

[mat+catastrophe]

I work for for a medical-related education center, and I can tell you that hospitals have been *anxious* about this for over a year now. They know that these regs are serious and that any infraction will mean some hefty fines.

The problem is that very few organizations are really ready. While hospitals are probably the most ready, it's only the ones with a top-notch IT staff that think they'll make it. As for your local general practitioner's office: Forget It. These people have little idea the law was passed, much less that it's going into effect. If I had the background in CS/Security, I would seriously think about starting a company to *specialize* in HIPPA regulations. The public health industry will pay big bucks to make sure they don't run afoul of these laws....

Examples:

If a fed walks into a doctor's office, or a hospital and can walk up to a machine that's on a network and/or has access to any health or billing record, that's a fine. A big one. How many nurses/doctors do you think will logout or secure their terminals everytime they have to walk down the hall?

Fax machines? Ever screwed up and sent your office's lunch order to a vendor? Or, vice-versa? Doing that with a patient's file will get you slapped.

Telemedicine? Absolutely a biggie. If someone who isn't supposed to be viewing a consultation through a teleconference system, people are in trouble....

Now, the good news is that these laws won't fully go into effect for a few months, and it's very hard to see right now what priority the incoming Bush Jr. Administration will put on these regulations....

Privacy/Security of personal med data is complex

[la1n]

This is going to be really tricky.

HIPAA started out as administrative simplification and paperwork reduction which is why it is called the "Health Insurance Portability and Accountability Act". Prime focus was on standardizing health insurance paperwork claims to reduce costs.

Obviously, you have to put into place minimal security and privacy rules into these standards, especially since medical centers are notoriously bad at this kind of stuff. But, you also need to keep in place a "back door" for emergency access. If a new patient comes in off the street (unconscious) with urgent need, medical professionals need access to his/her private data to provide appropriate care.

ADA

[theglassishalf]

The ADA has been significantly weakened in the last few years thanks to our lovely supreme court. They decided that anything that could be corrected (through medicine, eyeglasses, whatever) was not a disability. Therefore, you could be fired for a disability which is correctable. See here for some info about the decision. Our lovely supreme court has done some wonderful things for workers rights and freedom...Those of us who have studied law knew about their conservative biases long before Florida. (Flaimbait, maybe. But hard to argue...) We (in the US) need laws protecting our medical records from anyone whom we have not given explicit written permission to access them. We also need to restrict the companies who have the right to ask for the info to insurance companies and doctors, NEVER employers.

Your point is well taken, I just hope people reolise that the ADA has been dismantled by the court and is no longer an effective protection. This law by the clinton adminastration is a start, but more needs to be done. -Daniel

Re:I have worked in the health field for many year

[flink]

HIPPA will require all EDI transactions to be encrypted, first over the Internet, and later even LAN traffic must be encrypted.
At IDX Systems we're using PGP to send claims transactions to clearing houses.

-An EDI drone

Not ignorance...

[www.sorehands.com]

It was my lack of clarity. I was looking at functional relief, you were looking at the statute and seeing a little token.

Re:I have worked in the health field for many year

[rottcodd]

Last semester, my school started providing insurance for us grad research assistants... I decided to look at the insurance company web site ( http://www.gmsouthwest.com/eligibility/ )... Gee, it looks swell. It doesn't even say you can't look at other peoples' records, all you need is their social security number and their last name. I suppose it was a nice gesture, the school providing health insurance, but I don't think I'll be using it.

Does the Government get anything from this?

[PHAEDRU5]

It seems that every time the government issues these sorts of regs, it expands the amonunt of information it gets, at the expense of the amount of information available in the public sector.

Conditional privacy

Why should everyone be entitled to medical privacy?

There are surely conditions under which the government, and indeed neighbours, deserve to know whether a person has particular medical conditions.

For a start, mental illness. It is important to know if someone you have to work in close proximity to has a serious mental condition, and could conceivably be a danger to others. Or how about AIDS? Considering how dangerous this disease is (we are always being told this), shouldn't the government introduce mandatory testing, and even quarantine?

Just a few ideas.

Re:Conditional privacy

[Harri]

Because if you give out the addresses of people with these sort of problems, they will be driven away by their neighbours, and then not even the police or the Social Services will know where they are to keep an eye on them.

Not to mention a whole host of other reasons, for example, the right to live out the remaining ten years of your life in some kind of dignity, for the majority of us who are not stupid enough to pass on any fatal diseases we might catch.

If there are really certified homicidal lunatics living down your street, surely they should be living in a secure mental institution, rather than the police just telling all the neighbours that they should probably watch out when the full moon comes round.

Excellent

IMO, insurance companies shouldn't have the right to any personal health information, even things like whether or not you smoke cigarettes. A disturbing trend here in FL is that some alcohol/tobacco stores are starting to require that you not only show your ID, but also have it scanned. (Most notably ABC Liquors.) Now, before you flame me saying that they're only trying to verify your date of birth, consider that a friend of mine wasn't allowed to make a liquor purchase because his driver's license was expired. That, in my eyes, is evidence that they're not only checking the date but also tracking your purchases. Probably by storing your social security number, which as any US resident knows, can uniquely identify any citizen. Of course, what I'm leading to is just what they're planning on doing with that information: selling it to insurance companies and whoever else has the money to buy it.

Now, the real question is, how in the world did these companies aquire the right to information that is supposed to be between you and the government, and nobody else?

Also consider the telephone company, which operates by similar policies of "to hell with customer privacy, we're making money". Witness the following scenario: I move to a new apartment. I set up my new phone service. By default, my name, address, and phone number are pimped out to whoever has the money to buy them, aka the phone book. It's the same idea as the ID scanning. What in the world gives these people the right to our personal information? Of course the answer is the US government. They probably encourage this behavior, since it only adds to their ability to "protect us from ourselves".

Sorry for the rant, but this really makes me want to puke.

Downside

[rich22]

Government access to medical records for the public good, such as for research, public health crises, and law enforcement.

Limits on HMO and health providers use of and access to health information.

So big brother sees all, but medical companies whose business is health care lose rights to information? Sounds like this could open the door for the insurance lobby. It creates an excuse for health insurance rates to rise - since the company can't know your own particular circumstances, it has to place you into a category of people. Much like the car insurance effect on unmarried males under age 25. Unreal. We have more information and use less of it.

Re:Downside

[Masem]

They don't lose access -- they lose *unchecked* access. If your health insurence co. wants your health records, they need you to sign a consent form which they have to keep on record for several years. This allows you to know that you data is being transferred. In the case of health insurence, I would figure they do need this data, so I'd allow it.

And if you don't already believe that health insurence co's based their rates on your age already, in addition to other medical conditions, then you've been living in the wrong world.

Re:Downside

[GungaDan]

The "business" of insurance has not, traditionally, been to selectively cover thoroughly-researched individuals to minimize its own risk while maximizing profit by insuring people who aren't in any particular need of the risk-sharing system (i.e., whose own risk is such that they will pay into but not take out of the pot). The business of insurance has been to pool the risk with wider coverage encompassing some uncertainty as to when the risk arises, and in which individual. The new privacy laws will hopefully prevent HMOs and traditional 3rd party payers from fishing for healthy folks and throwing those who are in need of coverage by the wayside. By way of honest disclaimers, I support, in theory, socialized common-denominator health care, with continuation of the for-profit system for non-essential facelifts, nosejobs, etc. As for the comparison to auto insurance, well that's a big fat red herring. Unsafe drivers are in a position of choice - drive safely or drive like a schmuck. Those who choose the latter arguably should pay more. Someone with Schizophrenia has no say in the matter, and cannot ethically be punished for being ill, by being charged exorbidant insurance premiums. Someday the majority of folks in this shithole of a country will realize that certain things are too valuable to be left to the corporate profit-mongers. Airline/travel regulation was one of those thing (thanks Crazy Ron!). Health care is another. Folks on /. like to bitch about Mister Bill and his digital tyranny. Well, Mister Bill's ideological cousins own your hospitals, your insurance companies, your HMOs. They could all use a good shot of Nader upside their microcephalic heads.

High Time, but too late for some.

[LauraLolly]

These regulations are too late for many people, as a news brief on firing by genetype makes clear in this month's Scientific American.

Although it may be illegal by the ADA, I know of people who were not hired because of health info, and I know another who was denied a mortgage because of a heart ailment.

May this help others in like case.

It's None of the Gov't's Business

[Figec]

I'd rather take my business to those companies and doctors that cherish my privacy rather than trust the government to put a gun to the head of those doctors and entities that don't cherish my privacy. When the government does that, it makes those entities hesitant to release my information when it is prudent for fear of being fined or jailed.

Next up: Federal Medical ID's. We're on our way to socialized medicine...

Re:It's None of the Gov't's Business

[Nicolas+MONNET]

I'd rather take my business to those companies and doctors that cherish my privacy rather than trust the government to put a gun to the head of those doctors and entities that don't cherish my privacy

How can you those company who claim to "cherish" actually respect your privacy if there's nothing that prevents them to get that information without telling you?

--

Comment period

[Icebox]

They state that they received over 52,000 suggestions during the comment period for the guidelines. I wonder how many of those came from HMOs and other insurance companies? Since I have no idea how one finds out, before the end of the comment period, about such guidelines I won't hazard a guess. This does seem a bit like the solicitation for comments on the DMCA (or, more specifically, requests for hardships caused by the DMCA). It seems like things like this are never well publicized given how much they impact our everyday lives.

Re:Not enough!

[wolfgang_spangler]

About half way down in the fact sheet...

ESTABLISH ACCOUNTABILITY FOR MEDICAL RECORDS USE AND RELEASE

Penalties for covered entities that misuse personal health information are provided in HIPAA.

Civil penalties. Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.


While I don't think those penalties are stiff enough, they do exist.

Loophole in gov't security??

[medscaper]

The government had some neat ideas in HIPAA guidelines, but I learned something interesting :

"Government access to medical records for the public good, such as for research, public health crises, and law enforcement." is a new requirement.

What is that? This means that in any case in which the government sees need, medical records can be used without permission, without compensation, and without guarantees of privacy? Give me a break.

That's what's called a loophole, folks.

Re:Loophole in gov't security??

[la1n]

Access for the public good for statistical analysis can be granted as long as "personally identifiable information" is withheld. It's OK to be part of a summary statistic where the individual contributors are not identified.

Public health crisis access may be necessary for when then next plague comes. We haven't really had this since the Spanish influenza back in 1918. Imagine what something like small pox could do to New York City. This kind of access should only be granted for Center for Disease Control emergencies though.

Law enforcement access to personally identificable medical information is a BAD BAD idea. People need to be able to trust medical professionals. Otherwise, disenfranchised members of society fearing police actions will avoid medical treatment for highly contagious diseases... This provides the necessary critical mass outbreak sub-population for the next plague.

It's more to protect us...

I work for a health care company. This law also goes into standardisation of medical, and electronic forms, which is something that is needed. It also forces companies that see your medical information (ie.,the Drs' billing service, the billing services claims clearing house, the insurance company, blah blah blah.) The fact is when you go to most Dr.s, and you have insuracnce then the claim is ether sent via mail, or if your Dr. quit living in the 1800's then it will be transfered electronicly. Remember each of these stops on the way of the insurance comany provides another file to be stored on a server somewhere with all of your medical records. I'm glad that we have this law now, becuase it's forces unethical or ignorant middle man companys to protect your privacy.

Cool, it's about time!

[KlomDark]

At least some laws are now being passed protecting our privacy. I'm glad to see it. Now I only can hope for more privacy laws. Maybe this will start a trend. So much for that guy that said "You don't have any privacy, get over it" (Scott McNealy??)

Remember, they are not going to just give you privacy - you have to DEMAND your privacy.

Oh my god!

[Fjord]

This is just scary. From the article:

A 1999 survey by the American Management Association found that 30 percent of large and midsize companies sought some form of genetic information about their employees, and 7 percent used that information in awarding promotions and hiring. As the cost of DNA testing goes down, the number of businesses testing their workers is expected to skyrocket.

GATTICA is here. >shudder< This makes me want to lobby.

Not enough!

[www.sorehands.com]

I didn't see anything about civil penalties.

When there are criminal penalties, it's very difficult to get them enforced. The only time that government will press charges is in an extreme case or when someone has political connections. This does not provide much of a stick.

By providing a private right of action, along with statutory damages, it makes it easier for an individual to take action. It's very hard, in most cases, to set damages. How can you indicate what damages have occurred when your employer is notified that you took an HIV test and then fired the next day? Prove it was them knowing that you were tested as the reason you lost a job. It's the same as proving it was one item on your credit report that caused you not to get that credit card that includes air-miles.

For the record, the above incidents did not occur.

Re:Not enough!

[www.sorehands.com]

No. They may be there, but they don't exist.

Without awards of attorney fees and costs, it won't work.

Even if filed in small claims court against a hospital or HMO, they can remove the case to federal court (based on federal question). Then, either you'd have to learn rules of procedure, or get an attorney.

With most consumer protection acts, it includes attorney fees to encourage people to assert their rights. With anti-discrimination laws, wage payment laws, fee shifting was put into place for that reason.

Re:Not enough!

[wolfgang_spangler]

Ah, I see. My ignorance proved yet again!

The Cost of Privacy

[robbway]

The best part is the restriction of non-medical use of the information, which should always be by permission. The downside are the release and waiver forms you'll have to sign to get your lab results worked on. This will be reflected in higher costs. Time will tell if it's worth it.

----------------------

Re:The Cost of Privacy

[GungaDan]

The cost/benefit ratio here is very similar to the trade-offs inherent in changing one's browser settings for "security" (really privacy/confidentiality) reasons. Although I doubt that the implications in medical care will be nearly as annoying as the various prompts and warnings one encounters in browser-privatizing.

I agree with your claim that non-medical use of medical record information should always be by permission, but my colleagues in public health research truly resent that claim. For many years, there have been 4 criteria at 45 CFR 46.116 which are required to be met in order for the requirement to obtain a research subject's informed consent may be waived. Those are:

"the research involves no more than minimal risk to subjects"

"the waiver [of the requirement to obtain informed consent]... will not adversely affect the rights and welfare of the subjects"

"the research could not be practicably carried out without the waiver"

and "whenever appropriate, the subjects will be provided with additional pertinent information after [unconsented] participation."

My understanding is that HIPPA raises this to 8 criteria, and I've not yet had the chance to read the 4 new ones. Researchers who count on ready access to medical records for data are pissed. People who insist on privacy at all costs are somewhat (though not entirely) pleased. As robbway suggests, time will tell if the new privacy measures are "worth it" for citizens or if they are the death knell of population-based public health research, but it must be recognized that this has been a very delicate balancing act for policy makers. They should be applauded for having the cajones to even try.

Worthless

[Crawl]

Of course, according to this CNN article (via rc3.org), these new rights that we all get will be pretty much worthless, since most HMOs and other insurance plans will require their members to waive their new rights under this legislation in order to keep their coverage.

It's a Good Day (TM)

[bwt]

First the NSA releases GPL'd security code and now this. It is officially a Good Day (TM).

I almost can't believe it. My natural inclination is to look for some cynical motive, but I just can't find one.

Merry Xmas, Slashdoters...

Big hole that needs to be fixed

[wolfgang_spangler]

This makes no mention of places like life insurance companies....the following paragraph is an important one...call your congressman!

THE NEED FOR FURTHER CONGRESSIONAL ACTION
HIPAA limits the application of our rule to the covered entities. It does not provide authority for the rule to reach many persons and businesses that work for covered entities or otherwise receive health information from them. So the rule cannot put in place appropriate restrictions on how such recipients of protected health information may use and re-disclose such information. There is no statutory authority for a private right of action for individuals to
enforce their privacy rights. We need Congressional action to fill these gaps in patient privacy protections.