Does HIPAA’s Privacy Rule Protect Patient Information?

By Jesus Aceves, Roxana Islas, Diana Muñoz, and Leanna Wagner

In the early 1990s, there was a technological shift that was occurring. Many things were moving to computer-based systems and health care was one of them. In an effort to move towards this change, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was signed into law (Frank-Stromborg, 2004). The main goal of HIPAA is to provide safeguards to individuals private information (Frank-Stromborg, 2004).

Prior to 1996, the United States had no law that regulated the privacy of individual’s health information (Solove, 2013). However, it is reported that privacy was a big concern for patients, with 85 percent of health care consumers feeling that privacy was an essential, but the reality was that 400 eyes on average saw patient medical records on a typical hospital admission (Frank-Stromborg, 2004).

Privacy was also a concern at the time because more and more information that was beginning to be shared digitally, via fax or new digital systems that had not yet been regulated (Frank-Stromborg, 2004). Due to the nature of these issues, Congress felt it was important to establish a set of standards to ensure that a patient’s records were as confidential as possible (Frank-Stromborg, 2004, Slutsman, Kass, et al., 2005). Congress felt that patients’ medical records should not be open to all eyes, and that it was important to provide patients with the right to grant or deny access to individuals (Slutsman, Kass, et al., 2005).

Even though the Health Insurance Portability and Accountability Act (HIPAA) of 1996 implemented the Privacy Rule under Title II as a means to enhance the patient’s rights and protections, critics claim that these standards threaten patient’s privacy (Kuczynski & Gibbs-Wahlberg, 2005). Kuczynski & Gibbs-Wahlberg (2005) argue that there are two security issues that put patient’s privacy and confidentiality at risk. The first security issue is the sharing information by health care providers through the internet for the purposes of billing. A provision under the Privacy Rule includes making medical practices and hospitals responsible for protecting patients’ private health information (Mitka, 2013), still this does not guarantee that private health care information will remain safe and secure through the internet (Kuczynski & Gibbs-Wahlberg, 2005). For example, hackers stole thousands of confidential records from the University of Washington Medical Center in 2001.

Another study asserted that in 2002, 90 percent of large government agencies were victims of hackers. In fact, to date there is no program that can protect medical information from hackers and keep it 100 percent safe.  The second security issue is that patients’ personal health information can be disclosed without their consent and without notice. For example, patients’ private information can be accessed through computer data by government agencies, pharmaceutical corporations, and private insurance companies without their consent (Kuczynski & Gibbs-Wahlberg, 2005). Additionally, patient private information can also be shared by health studies and drug marketing (Kuczynski & Gibbs-Wahlberg, 2005). The Privacy Rule raises concerns in regard to patients’ personal autonomy because their private and medical information is used and disclosed without their permission, and it removes patients’ ability to protect their private healthcare information by paying out of pocket (Kuczynski & Gibbs-Wahlberg, 2005).Moreover, studies have shown that after the Privacy Rule implementation patients continue to show concerns about their privacy and confidentiality in regard to their medical records (Nass, 2009). For example, one survey indicated that 70 percent of participants were concerned that their private medical record information might be leaked, and 69 percent expressed concerns with their medical record being shared without their consent (as cited in Nass, 2009).

According to survey findings, many patients have concerns about insurers and employers accessing their private health information without their consent (Forrester Research, 2005). Polls revealed that patients fear being discriminated by employers on the bases of health information and fear employers will use this information to limit job opportunities. Additionally, this study revealed that racial minorities showed the greatest concern among participants (Forrester Research, 2005). Hence, ensuring privacy and confidentiality enhances autonomy and prevents financial harm, embarrassment, and discrimination (Pritts, 2002). Concerns about privacy and confidentiality need to be addressed by professional organizations so that patients are aware of the impact of new HIPAA regulations and practices.

The distribution of power begins at federal level and goes down to the individual healthcare providers, who are all responsible for implementing this federal law. Congress oversees HIPAA overall and ensures that the Privacy Rule is kept up to date on current technological advances in efforts to avoid data breaches. Despite the number of Privacy Rule revisions that Congress has continued to make, patients privacy rights are still being violated through electronic data breaches. However, all healthcare providers are responsible for understanding and protecting patient’s private healthcare information. The Privacy Rule explains that violations of law should be reported to state and federal authorities.

The power of this legislation is mostly held at the local government level. The counties tend to have HIPAA guidelines and policies to standardized trainings all county contracted agencies get. Most local governments have a designated HIPAA person, usually referred to as a compliance officer, to streamline compliance. All other healthcare settings may have their own trainings in order to be in compliance with HIPAA guidelines.

Although the Privacy Rule was developed to protect patient’s privacy rights, health care professionals hold more power over patients. In healthcare related settings each employee trained to protect patient’s health information. However, health care professionals may struggle with fully understanding the Privacy Rule that can be unclear at times. For example, the Privacy Rules explained that the rights of parents and minors must be deferred to the state law. This impacts patients because they hold the least power and minors, are at a greater disadvantage because of confidentiality with providers and their parents. Overall patients tend to be uninformed of their legal rights that are protected under this legislation. Therefore, to ensure that patient’s healthcare information is being protected, patients first need to be informed and educated of their privacy rights.

In an attempt to increase privacy HIPPA unintentionally created a barrier to providing quality care to patients (Scott, 2000). A $11 million study was conducted four years after the enactment of the law. The study found that providers were having difficulty understanding and complying with the basic standards of the policy (Wilkes, 2014). This has resulted in the medical community becoming hesitant to disclose PHI due to fear of breaking a policy they do not understand (Wilkes, 2014). This led to patients also feeling a need to protect their medical records and more mistrust of the medical community (Wilkes, 2014). This resulted in patients not receiving quality care due to lack of appropriate sharing of patient information. HIPAA also restricted supportive services to patients such as restricting visitors and pastors coming to the hospital to provide spiritual support (Scott, 2000). It also limited agencies from reviewing medical data that could be used to help providers or insurance agencies send reminders for yearly tests to improve health and take a proactive approach to illness (Scott, 2000).

In conclusion, the Privacy Rule was developed to protect patients’ private health information. Congress has continued to make revisions to Privacy Rule to include the evolving use of technology and ensuring that medical practices and hospitals are held responsible to protect patient’s records. However, the literature demonstrates that there are loopholes and unmet needs such as electronic data breaches that that still need to be addressed. Patients also need to be better informed of their privacy rights. Therefore, policy changes are needed to address the concerns of confidentiality and patient privacy.

References

Forrester Research. 2005. National consumer health privacy survey 2005. Retrieved from

https://www.chcf.org/publication/national-consumer-health-privacy-survey-2005/

Frank-Stromborg, M. (2004). They’re Real and They’re Here: The New Federally RegulatedPrivacy Rules under HIPAA. Urologic Nursing, 24(1), 14-21.

Kuczynski, K., & Gibbs-Wahlberg, P. (2005). HIPAA the Health Care Hippo: Despite the Rhetoric, Is Privacy Still an Issue? Social Work, 50(3), 283-287.

Mitka, M. (2013). New HIPAA rule aims to improve privacy and security of patient records. JAMA: Journal of The American Medical Association, 309(9), 861-862.

Nass, S. J. (2009). Beyond the HIPAA privacy rule: enhancing privacy, improving health through research. Retrieved from https://ebookcentral.proquest.com

Pritts, J. L. 2002. Altered states: State health privacy laws and the impact of the federal health Privacy Rule. Yale Journal of Health Policy, Law & Ethics 2(2):327–364.

Scott, C. (2000). Is too much privacy bad for your health? An introduction to the law, ethics and HIPAA rule on medical privacy. Georgia State Law Review, 17(2) 481-529.

Slutsman, J., Kass, N., McGready, J., & Wynia, M. (2005). Health Information, The HIPAA Privacy Rule, And Health Care: What Do Physicians Think? Health Affairs, 24(3), 832-842. doi:10.1377/hlthaff.24.3.832

Wilkes, J. J. (2014). The creation of HIPAA Culture: Prioritizing privacy paranoia over patient care. Brigham Young University Law Review, 2014(5), 1213-1249.