There is little doubt that the new privacy regulations issued by President Clinton on Wednesday go a long way toward protecting patients from the prospect of third parties getting hold of their medical records. The new rules require most healthcare providers and insurance companies to get patients' written consent before sharing medical information -- either orally or written -- with others.
"The administration is to be congratulated," says ACLU associate director Barry Steinhardt. "It is a significant step forward." A significant one, indeed, but one that does not go far enough, say critics.
Privacy advocates -- and even the American Medical Association -- have long pressured Clinton to limit the "unfettered" access to private medical records that law enforcement officers enjoy in many parts of the country. And many were disappointed that the president didn't issue more stringent regulations for government access in the new guidelines. Specifically, privacy advocates wanted Clinton to require law enforcement officials and government investigators to obtain the highest level of proof -- a court order -- before receiving the documents.
Although regulations vary from state to state -- with some having stricter privacy laws -- many police officers need only a subpoena to gain access to medical records. Patients are not notified, and oftentimes are unable to contest the validity of a subpoena before information is released. Privacy advocates fear that police and others may use the most intimate details of a person's life -- their medical history -- as an investigational tool. For example, a police officer investigating a shooting could show up at a hospital with a subpoena and find out if anyone there had been treated for a gunshot wound. Similarly, records of someone's physical condition could be given to police if the person were a suspect in a murder case and claimed self-defense.
But it could even go further than that. Worst-case scenarios, advocates say, could include a governmental entity like the Drug Enforcement Agency soliciting records of patients who had overdosed or received treatment for drugs within the last five years and conducting witch hunts with that information.
"The whole basis of all of this is trust between the physician and the patient," says Dr. Donald Palmisano, a member of the AMA board of trustees and co-chair of the AMA task force on the subject. "If the patients of America believe their records will be subject to review by government agencies, police and attorneys without their consent, the trust will diminish. Patients won't tell doctors the sometimes embarrassing things we need to know to make the diagnosis and decide on the best treatment," he says.
But some law enforcement officials in areas with lenient access laws say that individuals' privacy has not come at the expense of the expedited process. For years, prosecutors in Cook County, Ill., as well as others around the country, have been obtaining medical information for cases they are prosecuting by using only a subpoena. "To me, it has not been a big problem," says Patrick Driscoll, chief of the Civil Actions Bureau for the Cook County state's attorney's office. "I don't want people snooping in records, but you have to presume that there's good faith out there of the people having the subpoenas issued." Driscoll also says that a defendant's attorneys can object to the validity of the medical information being included as evidence; they can file a motion and have it quashed.
In fact, if every request for medical information had to be issued by a judge, Driscoll believes it would slow down the investigative process. In cases where prosecutors are running up against the statute of limitations or face a speedy trial, every day is critical. And Driscoll says the sometimes lengthy process of preparing a motion, getting it on the court's docket and having the judge rule on it could really make a difference. "I wouldn't say it would stop things and allow criminals to walk free, but it could slow things down." As it stands, it is nearly instantaneous.
But the stricter standards sought by privacy advocates are already in place in California. "We clearly understand that we don't have access to them unless it's relevant to the prosecution of a case," says Inspector Sherman Ackerson, spokesman for the San Francisco Police Department. "If we're going to search some house or treatment facility, we know they are off-limits without a court order ... And there's ample time for that."
The federal rules implemented by President Clinton were ordered by the 1996 Health Insurance Portability and Accountability Act (HIPAA). It will go into effect in two years and will not overstep more restrictive state laws like those in California. It also allows patients to see their own records and holds providers responsible for third parties, like a company that processes a doctor's billing, for divulging information. Since Congress could not pass a patient privacy law on its own by August 1999, the responsibility defaulted to the administration. Those who intentionally violate could face fines of up to $50,000 and time in prison.
Legally, President-elect George W. Bush could reverse the rules, but most feel that that's unlikely given how laborious -- and contentious -- it would be to do so.
Shares